Proxying hypertext transfer protocol (HTTP) requests for microservices

ABSTRACT

In various embodiments, a gateway application generates an outgoing Hypertext Transmission Protocol (HTTP) request based on an incoming HTTP request. In operation, the gateway application receives the incoming HTTP request and identifies an upstream service based on at least one of an HTTP method and a header included in the incoming HTTP request. Subsequently, the gateway application generates an outgoing HTTP request based on the upstream service and the incoming HTTP request. Finally, the gateway application issues the outgoing HTTP request. The outgoing HTTP request causes the upstream service to perform an action requested in the incoming HTTP request. Advantageously, the gateway application enables underlying upstream services to perform actions specified via incoming HTTP requests without directly exposing the upstream services to users.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of the co-pending U.S. patentapplication titled, “PROXYING HYPERTEXT TRANSFER PROTOCOL (HTTP)REQUESTS FOR MICROSERVICES”, filed on Sep. 25, 2017 and having Ser. No.15/715,106. The subject matter of the related application is herebyincorporated herein by reference.

BACKGROUND OF THE INVENTION Field of the Invention

Embodiments of the present invention relate generally to client-serverarchitectures and, more specifically, to techniques for proxyingHypertext Transfer Protocol (HTTP) requests for microservices.

Description of the Related Art

Many providers interact with clients via a client-server architecturebased on the Hypertext Transfer Protocol (HTTP). In operation, clientdevices request actions by issuing HTTP requests and, in response,servers perform actions.

In a monolithic architecture, the provider typically encapsulatesservice components that perform different actions in a single monolithicapplication. To request that a monolithic application performs anaction, a client device generates an HTTP request that specifies aserver on which the monolithic application is executing as a host. Uponreceiving the HTTP request, the monolithic application performs one ormore authentication and/or authorization operations on the HTTP requestto ensure that the HTTP request is valid. Then, if the HTTP request isvalid, the monolithic application evaluates the HTTP request to selectthe appropriate service component to perform the requested action. Themonolithic application then causes the selected service component toperform the requested action.

One limitation of a monolithic application is that a minor change to anyof the service components typically requires the entire monolithicapplication to be rebuilt and deployed. As a result, scaling thedifferent service components to reflect client demand is undesirablycomplicated. Further, because dependencies between the various servicecomponents may not be clearly delineated, maintaining, updating, andensuring the quality of the monolithic application may be difficult anderror-prone.

In an attempt to mitigate some of the limitations of monolithicapplications, some providers implement a microservices architecture. Ina microservices architecture, a provider typically structures eachservice component as an independent microservice. Requested actions arethen performed for clients via a suite of such microservices. Ingeneral, performing requested actions via a suite of microservicesenables providers to efficiently scale individual microservices withoutdisrupting other microservices. Further, any dependencies betweendifferent microservices are clearly delineated. However, performingrequested actions via a suite of microservices does not necessarilyincrease overall flexibility and typically increases overall complexitycompared to performing requested actions via a monolithic application.

For instance, in one approach to providing access to a suite ofmicroservices via HTTP requests, a provider identifies the individualmicroservices to users. To request an action, the user could select amicroservice that is to perform the action. The user could then generatean HTTP request specifying the selected microservice. Upon receiving theHTTP request, the selected microservice could perform one or moreauthentication and/or authorization operations on the HTTP request toensure that the HTTP request is valid. If the HTTP request is valid,then the selected microservice could perform the requested action.

One limitation of this approach for identifying individual microservicesto the users is that the flexibility to make changes to the suite ofmicroservices is constrained by usability concerns. More specifically,when the provider modifies the number and type of microservices includedin the suite of microservices, the users may be unable to properlyrequest services until the provider notifies the users of themodifications. Consequently, to avoid disturbing the users, the providercould be reluctant to make changes to the suite of microservices.

Another limitation of identifying individual microservices to the usersis that each microservice application is required to individuallyimplement any desired authentication and authorization functionality. Asreferred to herein, an instance of a “microservice application” isdeployed to provide a microservice. Embedding authentication andauthorization functionality in each microservice application increasesthe complexity and the time required to develop and maintain themicroservice applications.

As the foregoing illustrates, what is needed in the art are moreeffective techniques for providing access to a suite of microservicesvia HTTP requests.

SUMMARY OF THE INVENTION

One embodiment of the present invention sets forth a method forproviding access to upstream services via Hypertext TransmissionProtocol (HTTP) requests. The method includes identifying a upstreamservice based on at least one of an HTTP method and a header included inan incoming HTTP request, generating an outgoing HTTP request based onthe upstream service and the incoming HTTP request, and issuing theoutgoing HTTP request to cause the upstream service to perform an actionrequested in the incoming HTTP request.

Further embodiments provide, among other things, a computer-readablemedium and a system configured to implement the method set forth above.

One advantage of the disclosed techniques is that upstream services areable to perform actions specified in incoming HTTP requests withoutdirectly exposing the upstream services to users. In particular, aprovider that performs actions for users via a suite of microservicesmay add or remove microservices from the suite of microservices withoutnotifying users of the changes. Consequently, the provider mayindividually scale microservices to reflect user demand.

BRIEF DESCRIPTION OF THE DRAWINGS

So that the manner in which the above recited features of the presentinvention can be understood in detail, a more particular description ofthe invention, briefly summarized above, may be had by reference toembodiments, some of which are illustrated in the appended drawings. Itis to be noted, however, that the appended drawings illustrate onlytypical embodiments of this invention and are therefore not to beconsidered limiting of its scope, for the invention may admit to otherequally effective embodiments.

FIG. 1 is a block diagram of an example networked computer environment,in accordance with example embodiments;

FIG. 2 is a block diagram of an example data intake and query system, inaccordance with example embodiments;

FIG. 3 is a block diagram of an example cloud-based data intake andquery system, in accordance with example embodiments;

FIG. 4 is a block diagram of an example data intake and query systemthat performs searches across external data systems, in accordance withexample embodiments;

FIG. 5A is a flowchart of an example method that illustrates howindexers process, index, and store data received from forwarders, inaccordance with example embodiments;

FIG. 5B is a block diagram of a data structure in which time-stampedevent data can be stored in a data store, in accordance with exampleembodiments;

FIG. 5C provides a visual representation of the manner in which apipelined search language or query operates, in accordance with exampleembodiments;

FIG. 6A is a flow diagram of an example method that illustrates how asearch head and indexers perform a search query, in accordance withexample embodiments;

FIG. 6B provides a visual representation of an example manner in which apipelined command language or query operates, in accordance with exampleembodiments;

FIG. 7A is a diagram of an example scenario where a common customeridentifier is found among log data received from three disparate datasources, in accordance with example embodiments;

FIG. 7B illustrates an example of processing keyword searches and fieldsearches, in accordance with disclosed embodiments;

FIG. 7C illustrates an example of creating and using an inverted index,in accordance with example embodiments;

FIG. 7D depicts a flowchart of example use of an inverted index in apipelined search query, in accordance with example embodiments;

FIG. 8A is an interface diagram of an example user interface for asearch screen, in accordance with example embodiments;

FIG. 8B is an interface diagram of an example user interface for a datasummary dialog that enables a user to select various data sources, inaccordance with example embodiments;

FIGS. 9-15 are interface diagrams of example report generation userinterfaces, in accordance with example embodiments;

FIG. 16 is an example search query received from a client and executedby search peers, in accordance with example embodiments;

FIG. 17A is an interface diagram of an example user interface of a keyindicators view, in accordance with example embodiments;

FIG. 17B is an interface diagram of an example user interface of anincident review dashboard, in accordance with example embodiments;

FIG. 17C is a tree diagram of an example a proactive monitoring tree, inaccordance with example embodiments;

FIG. 17D is an interface diagram of an example a user interfacedisplaying both log data and performance data, in accordance withexample embodiments;

FIG. 18 illustrates a gateway application that proxies HypertextTransfer Protocol (HTTP) requests for different microservices includedin a microservice system, in accordance with example embodiments;

FIG. 19 illustrates a technique for translating an incoming HypertextTransfer Protocol (HTTP) request to an outgoing HTTP request via thegateway application of FIG. 18, in accordance with example embodiments;and

FIG. 20 is a flow diagram of method steps for proxying HTTP requests formicroservices, in accordance with example embodiments.

DETAILED DESCRIPTION

In the following description, numerous specific details are set forth toprovide a more thorough understanding of the present invention. However,it will be apparent to one of skilled in the art that the presentinvention may be practiced without one or more of these specificdetails.

Embodiments are described herein according to the following outline:

-   -   1.0. General Overview    -   2.0. Operating Environment    -   2.1. Host Devices    -   2.2. Client Devices    -   2.3. Client Device Applications    -   2.4. Data Server System    -   2.5 Cloud-Based System Overview    -   2.6 Searching Externally-Archived Data        -   2.6.1. ERP Process Features    -   2.7. Data Ingestion        -   2.7.1. Input        -   2.7.2. Parsing        -   2.7.3. Indexing    -   2.8. Query Processing    -   2.9. Pipelined Search Language    -   2.10. Field Extraction    -   2.11. Example Search Screen    -   2.12. Data Modeling    -   2.13. Acceleration Techniques        -   2.13.1. Aggregation Technique        -   2.13.2. Keyword Index        -   2.13.3. High Performance Analytics Store        -   2.13.3.1 Extracting Event Data Using Posting Values        -   2.13.4. Accelerating Report Generation    -   2.14. Security Features    -   2.15. Data Center Monitoring    -   2.16. IT Service Monitoring    -   3.0. Microservice System Overview        -   3.0.1. Flexible Techniques for Providing Access to a Suite            of Microservices        -   3.0.2. Translating Incoming HTTP Requests to Outgoing HTTP            Requests

1.0. General Overview

Modern data centers and other computing environments can compriseanywhere from a few host computer systems to thousands of systemsconfigured to process data, service requests from remote clients, andperform numerous other computational tasks. During operation, variouscomponents within these computing environments often generatesignificant volumes of machine data. Machine data is any data producedby a machine or component in an information technology (IT) environmentand that reflects activity in the IT environment. For example, machinedata can be raw machine data that is generated by various components inIT environments, such as servers, sensors, routers, mobile devices,Internet of Things (IoT) devices, etc. Machine data can include systemlogs, network packet data, sensor data, application program data, errorlogs, stack traces, system performance data, etc. In general, machinedata can also include performance data, diagnostic information, and manyother types of data that can be analyzed to diagnose performanceproblems, monitor user interactions, and to derive other insights.

A number of tools are available to analyze machine data. In order toreduce the size of the potentially vast amount of machine data that maybe generated, many of these tools typically pre-process the data basedon anticipated data-analysis needs. For example, pre-specified dataitems may be extracted from the machine data and stored in a database tofacilitate efficient retrieval and analysis of those data items atsearch time. However, the rest of the machine data typically is notsaved and is discarded during pre-processing. As storage capacitybecomes progressively cheaper and more plentiful, there are fewerincentives to discard these portions of machine data and many reasons toretain more of the data.

This plentiful storage capacity is presently making it feasible to storemassive quantities of minimally processed machine data for laterretrieval and analysis. In general, storing minimally processed machinedata and performing analysis operations at search time can providegreater flexibility because it enables an analyst to search all of themachine data, instead of searching only a pre-specified set of dataitems. This may enable an analyst to investigate different aspects ofthe machine data that previously were unavailable for analysis.

However, analyzing and searching massive quantities of machine datapresents a number of challenges. For example, a data center, servers, ornetwork appliances may generate many different types and formats ofmachine data (e.g., system logs, network packet data (e.g., wire data,etc.), sensor data, application program data, error logs, stack traces,system performance data, operating system data, virtualization data,etc.) from thousands of different components, which can collectively bevery time-consuming to analyze. In another example, mobile devices maygenerate large amounts of information relating to data accesses,application performance, operating system performance, networkperformance, etc. There can be millions of mobile devices that reportthese types of information.

These challenges can be addressed by using an event-based data intakeand query system, such as the SPLUNK® ENTERPRISE system developed bySplunk Inc. of San Francisco, Calif. The SPLUNK® ENTERPRISE system isthe leading platform for providing real-time operational intelligencethat enables organizations to collect, index, and search machine datafrom various websites, applications, servers, networks, and mobiledevices that power their businesses. The data intake and query system isparticularly useful for analyzing data which is commonly found in systemlog files, network data, and other data input sources. Although many ofthe techniques described herein are explained with reference to a dataintake and query system similar to the SPLUNK® ENTERPRISE system, thesetechniques are also applicable to other types of data systems.

In the data intake and query system, machine data are collected andstored as “events”. An event comprises a portion of machine data and isassociated with a specific point in time. The portion of machine datamay reflect activity in an IT environment and may be produced by acomponent of that IT environment, where the events may be searched toprovide insight into the IT environment, thereby improving theperformance of components in the IT environment. Events may be derivedfrom “time series data,” where the time series data comprises a sequenceof data points (e.g., performance measurements from a computer system,etc.) that are associated with successive points in time. In general,each event has a portion of machine data that is associated with atimestamp that is derived from the portion of machine data in the event.A timestamp of an event may be determined through interpolation betweentemporally proximate events having known timestamps or may be determinedbased on other configurable rules for associating timestamps withevents.

In some instances, machine data can have a predefined format, where dataitems with specific data formats are stored at predefined locations inthe data. For example, the machine data may include data associated withfields in a database table. In other instances, machine data may nothave a predefined format (e.g., may not be at fixed, predefinedlocations), but may have repeatable (e.g., non-random) patterns. Thismeans that some machine data can comprise various data items ofdifferent data types that may be stored at different locations withinthe data. For example, when the data source is an operating system log,an event can include one or more lines from the operating system logcontaining machine data that includes different types of performance anddiagnostic information associated with a specific point in time (e.g., atimestamp).

Examples of components which may generate machine data from which eventscan be derived include, but are not limited to, web servers, applicationservers, databases, firewalls, routers, operating systems, and softwareapplications that execute on computer systems, mobile devices, sensors,Internet of Things (IoT) devices, etc. The machine data generated bysuch data sources can include, for example and without limitation,server log files, activity log files, configuration files, messages,network packet data, performance measurements, sensor measurements, etc.

The data intake and query system uses a flexible schema to specify howto extract information from events. A flexible schema may be developedand redefined as needed. Note that a flexible schema may be applied toevents “on the fly,” when it is needed (e.g., at search time, indextime, ingestion time, etc.). When the schema is not applied to eventsuntil search time, the schema may be referred to as a “late-bindingschema.”

During operation, the data intake and query system receives machine datafrom any type and number of sources (e.g., one or more system logs,streams of network packet data, sensor data, application program data,error logs, stack traces, system performance data, etc.). The systemparses the machine data to produce events each having a portion ofmachine data associated with a timestamp. The system stores the eventsin a data store. The system enables users to run queries against thestored events to, for example, retrieve events that meet criteriaspecified in a query, such as criteria indicating certain keywords orhaving specific values in defined fields. As used herein, the term“field” refers to a location in the machine data of an event containingone or more values for a specific data item. A field may be referencedby a field name associated with the field. As will be described in moredetail herein, a field is defined by an extraction rule (e.g., a regularexpression) that derives one or more values or a sub-portion of textfrom the portion of machine data in each event to produce a value forthe field for that event. The set of values produced aresemantically-related (such as IP address), even though the machine datain each event may be in different formats (e.g., semantically-relatedvalues may be in different positions in the events derived fromdifferent sources).

As described above, the system stores the events in a data store. Theevents stored in the data store are field-searchable, wherefield-searchable herein refers to the ability to search the machine data(e.g., the raw machine data) of an event based on a field specified insearch criteria. For example, a search having criteria that specifies afield name “UserID” may cause the system to field-search the machinedata of events to identify events that have the field name “UserID.” Inanother example, a search having criteria that specifies a field name“UserID” with a corresponding field value “12345” may cause the systemto field-search the machine data of events to identify events havingthat field-value pair (e.g., field name “UserID” with a correspondingfield value of “12345”). Events are field-searchable using one or moreconfiguration files associated with the events. Each configuration fileincludes one or more field names, where each field name is associatedwith a corresponding extraction rule and a set of events to which thatextraction rule applies. The set of events to which an extraction ruleapplies may be identified by metadata associated with the set of events.For example, an extraction rule may apply to a set of events that areeach associated with a particular host, source, or source type. Whenevents are to be searched based on a particular field name specified ina search, the system uses one or more configuration files to determinewhether there is an extraction rule for that particular field name thatapplies to each event that falls within the criteria of the search. Ifso, the event is considered as part of the search results (andadditional processing may be performed on that event based on criteriaspecified in the search). If not, the next event is similarly analyzed,and so on.

As noted above, the data intake and query system utilizes a late-bindingschema while performing queries on events. One aspect of a late-bindingschema is applying extraction rules to events to extract values forspecific fields during search time. More specifically, the extractionrule for a field can include one or more instructions that specify howto extract a value for the field from an event. An extraction rule cangenerally include any type of instruction for extracting values fromevents. In some cases, an extraction rule comprises a regularexpression, where a sequence of characters form a search pattern. Anextraction rule comprising a regular expression is referred to herein asa regex rule. The system applies a regex rule to an event to extractvalues for a field associated with the regex rule, where the values areextracted by searching the event for the sequence of characters definedin the regex rule.

In the data intake and query system, a field extractor may be configuredto automatically generate extraction rules for certain fields in theevents when the events are being created, indexed, or stored, orpossibly at a later time. Alternatively, a user may manually defineextraction rules for fields using a variety of techniques. In contrastto a conventional schema for a database system, a late-binding schema isnot defined at data ingestion time. Instead, the late-binding schema canbe developed on an ongoing basis until the time a query is actuallyexecuted. This means that extraction rules for the fields specified in aquery may be provided in the query itself, or may be located duringexecution of the query. Hence, as a user learns more about the data inthe events, the user can continue to refine the late-binding schema byadding new fields, deleting fields, or modifying the field extractionrules for use the next time the schema is used by the system. Becausethe data intake and query system maintains the underlying machine dataand uses a late-binding schema for searching the machine data, itenables a user to continue investigating and learn valuable insightsabout the machine data.

In some embodiments, a common field name may be used to reference two ormore fields containing equivalent and/or similar data items, even thoughthe fields may be associated with different types of events thatpossibly have different data formats and different extraction rules. Byenabling a common field name to be used to identify equivalent and/orsimilar fields from different types of events generated by disparatedata sources, the system facilitates use of a “common information model”(CIM) across the disparate data sources (further discussed with respectto FIG. 7A).

2.0. Operating Environment

FIG. 1 is a block diagram of an example networked computer environment100, in accordance with example embodiments. Those skilled in the artwould understand that FIG. 1 represents one example of a networkedcomputer system and other embodiments may use different arrangements.

The networked computer system 100 comprises one or more computingdevices. These one or more computing devices comprise any combination ofhardware and software configured to implement the various logicalcomponents described herein. For example, the one or more computingdevices may include one or more memories that store instructions forimplementing the various components described herein, one or morehardware processors configured to execute the instructions stored in theone or more memories, and various data repositories in the one or morememories for storing data structures utilized and manipulated by thevarious components.

In some embodiments, one or more client devices 102 are coupled to oneor more host devices 106 and a data intake and query system 108 via oneor more networks 104. Networks 104 broadly represent one or more LANs,WANs, cellular networks (e.g., LTE, HSPA, 3G, and other cellulartechnologies), and/or networks using any of wired, wireless, terrestrialmicrowave, or satellite links, and may include the public Internet.

2.1. Host Devices

In the illustrated embodiment, a system 100 includes one or more hostdevices 106. Host devices 106 may broadly include any number ofcomputers, virtual machine instances, and/or data centers that areconfigured to host or execute one or more instances of host applications114. In general, a host device 106 may be involved, directly orindirectly, in processing requests received from client devices 102.Each host device 106 may comprise, for example, one or more of a networkdevice, a web server, an application server, a database server, etc. Acollection of host devices 106 may be configured to implement anetwork-based service. For example, a provider of a network-basedservice may configure one or more host devices 106 and host applications114 (e.g., one or more web servers, application servers, databaseservers, etc.) to collectively implement the network-based application.

In general, client devices 102 communicate with one or more hostapplications 114 to exchange information. The communication between aclient device 102 and a host application 114 may, for example, be basedon the Hypertext Transfer Protocol (HTTP) or any other network protocol.Content delivered from the host application 114 to a client device 102may include, for example, HTML documents, media content, etc. Thecommunication between a client device 102 and host application 114 mayinclude sending various requests and receiving data packets. Forexample, in general, a client device 102 or application running on aclient device may initiate communication with a host application 114 bymaking a request for a specific resource (e.g., based on an HTTPrequest), and the application server may respond with the requestedcontent stored in one or more response packets.

In the illustrated embodiment, one or more of host applications 114 maygenerate various types of performance data during operation, includingevent logs, network data, sensor data, and other types of machine data.For example, a host application 114 comprising a web server may generateone or more web server logs in which details of interactions between theweb server and any number of client devices 102 is recorded. As anotherexample, a host device 106 comprising a router may generate one or morerouter logs that record information related to network traffic managedby the router. As yet another example, a host application 114 comprisinga database server may generate one or more logs that record informationrelated to requests sent from other host applications 114 (e.g., webservers or application servers) for data managed by the database server.

2.2. Client Devices

Client devices 102 of FIG. 1 represent any computing device capable ofinteracting with one or more host devices 106 via a network 104.Examples of client devices 102 may include, without limitation, smartphones, tablet computers, handheld computers, wearable devices, laptopcomputers, desktop computers, servers, portable media players, gamingdevices, and so forth. In general, a client device 102 can provideaccess to different content, for instance, content provided by one ormore host devices 106, etc. Each client device 102 may comprise one ormore client applications 110, described in more detail in a separatesection hereinafter.

2.3. Client Device Applications

In some embodiments, each client device 102 may host or execute one ormore client applications 110 that are capable of interacting with one ormore host devices 106 via one or more networks 104. For instance, aclient application 110 may be or comprise a web browser that a user mayuse to navigate to one or more websites or other resources provided byone or more host devices 106. As another example, a client application110 may comprise a mobile application or “app.” For example, an operatorof a network-based service hosted by one or more host devices 106 maymake available one or more mobile apps that enable users of clientdevices 102 to access various resources of the network-based service. Asyet another example, client applications 110 may include backgroundprocesses that perform various operations without direct interactionfrom a user. A client application 110 may include a “plug-in” or“extension” to another application, such as a web browser plug-in orextension.

In some embodiments, a client application 110 may include a monitoringcomponent 112. At a high level, the monitoring component 112 comprises asoftware component or other logic that facilitates generatingperformance data related to a client device's operating state, includingmonitoring network traffic sent and received from the client device andcollecting other device and/or application-specific information.Monitoring component 112 may be an integrated component of a clientapplication 110, a plug-in, an extension, or any other type of add-oncomponent. Monitoring component 112 may also be a stand-alone process.

In some embodiments, a monitoring component 112 may be created when aclient application 110 is developed, for example, by an applicationdeveloper using a software development kit (SDK). The SDK may includecustom monitoring code that can be incorporated into the codeimplementing a client application 110. When the code is converted to anexecutable application, the custom code implementing the monitoringfunctionality can become part of the application itself.

In some embodiments, an SDK or other code for implementing themonitoring functionality may be offered by a provider of a data intakeand query system, such as a system 108. In such cases, the provider ofthe system 108 can implement the custom code so that performance datagenerated by the monitoring functionality is sent to the system 108 tofacilitate analysis of the performance data by a developer of the clientapplication or other users.

In some embodiments, the custom monitoring code may be incorporated intothe code of a client application 110 in a number of different ways, suchas the insertion of one or more lines in the client application codethat call or otherwise invoke the monitoring component 112. As such, adeveloper of a client application 110 can add one or more lines of codeinto the client application 110 to trigger the monitoring component 112at desired points during execution of the application. Code thattriggers the monitoring component may be referred to as a monitortrigger. For instance, a monitor trigger may be included at or near thebeginning of the executable code of the client application 110 such thatthe monitoring component 112 is initiated or triggered as theapplication is launched, or included at other points in the code thatcorrespond to various actions of the client application, such as sendinga network request or displaying a particular interface.

In some embodiments, the monitoring component 112 may monitor one ormore aspects of network traffic sent and/or received by a clientapplication 110. For example, the monitoring component 112 may beconfigured to monitor data packets transmitted to and/or from one ormore host applications 114. Incoming and/or outgoing data packets can beread or examined to identify network data contained within the packets,for example, and other aspects of data packets can be analyzed todetermine a number of network performance statistics. Monitoring networktraffic may enable information to be gathered particular to the networkperformance associated with a client application 110 or set ofapplications.

In some embodiments, network performance data refers to any type of datathat indicates information about the network and/or network performance.Network performance data may include, for instance, a URL requested, aconnection type (e.g., HTTP, HTTPS, etc.), a connection start time, aconnection end time, an HTTP status code, request length, responselength, request headers, response headers, connection status (e.g.,completion, response time(s), failure, etc.), and the like. Uponobtaining network performance data indicating performance of thenetwork, the network performance data can be transmitted to a dataintake and query system 108 for analysis.

Upon developing a client application 110 that incorporates a monitoringcomponent 112, the client application 110 can be distributed to clientdevices 102. Applications generally can be distributed to client devices102 in any manner, or they can be pre-loaded. In some cases, theapplication may be distributed to a client device 102 via an applicationmarketplace or other application distribution system. For instance, anapplication marketplace or other application distribution system mightdistribute the application to a client device based on a request fromthe client device to download the application.

Examples of functionality that enables monitoring performance of aclient device are described in U.S. patent application Ser. No.14/524,748, entitled “UTILIZING PACKET HEADERS TO MONITOR NETWORKTRAFFIC IN ASSOCIATION WITH A CLIENT DEVICE”, filed on 27 Oct. 2014, andwhich is hereby incorporated by reference in its entirety for allpurposes.

In some embodiments, the monitoring component 112 may also monitor andcollect performance data related to one or more aspects of theoperational state of a client application 110 and/or client device 102.For example, a monitoring component 112 may be configured to collectdevice performance information by monitoring one or more client deviceoperations, or by making calls to an operating system and/or one or moreother applications executing on a client device 102 for performanceinformation. Device performance information may include, for instance, acurrent wireless signal strength of the device, a current connectiontype and network carrier, current memory performance information, ageographic location of the device, a device orientation, and any otherinformation related to the operational state of the client device.

In some embodiments, the monitoring component 112 may also monitor andcollect other device profile information including, for example, a typeof client device, a manufacturer and model of the device, versions ofvarious software applications installed on the device, and so forth.

In general, a monitoring component 112 may be configured to generateperformance data in response to a monitor trigger in the code of aclient application 110 or other triggering application event, asdescribed above, and to store the performance data in one or more datarecords. Each data record, for example, may include a collection offield-value pairs, each field-value pair storing a particular item ofperformance data in association with a field for the item. For example,a data record generated by a monitoring component 112 may include a“networkLatency” field (not shown in the Figure) in which a value isstored. This field indicates a network latency measurement associatedwith one or more network requests. The data record may include a “state”field to store a value indicating a state of a network connection, andso forth for any number of aspects of collected performance data.

2.4. Data Server System

FIG. 2 is a block diagram of an example data intake and query system108, in accordance with example embodiments. System 108 includes one ormore forwarders 204 that receive data from a variety of input datasources 202, and one or more indexers 206 that process and store thedata in one or more data stores 208. These forwarders 204 and indexers208 can comprise separate computer systems, or may alternativelycomprise separate processes executing on one or more computer systems.

Each data source 202 broadly represents a distinct source of data thatcan be consumed by system 108. Examples of a data sources 202 include,without limitation, data files, directories of files, data sent over anetwork, event logs, registries, etc.

During operation, the forwarders 204 identify which indexers 206 receivedata collected from a data source 202 and forward the data to theappropriate indexers. Forwarders 204 can also perform operations on thedata before forwarding, including removing extraneous data, detectingtimestamps in the data, parsing data, indexing data, routing data basedon criteria relating to the data being routed, and/or performing otherdata transformations.

In some embodiments, a forwarder 204 may comprise a service accessibleto client devices 102 and host devices 106 via a network 104. Forexample, one type of forwarder 204 may be capable of consuming vastamounts of real-time data from a potentially large number of clientdevices 102 and/or host devices 106. The forwarder 204 may, for example,comprise a computing device which implements multiple data pipelines or“queues” to handle forwarding of network data to indexers 206. Aforwarder 204 may also perform many of the functions that are performedby an indexer. For example, a forwarder 204 may perform keywordextractions on raw data or parse raw data to create events. A forwarder204 may generate time stamps for events. Additionally or alternatively,a forwarder 204 may perform routing of events to indexers 206. Datastore 208 may contain events derived from machine data from a variety ofsources all pertaining to the same component in an IT environment, andthis data may be produced by the machine in question or by othercomponents in the IT environment.

2.5. Cloud-Based System Overview

The example data intake and query system 108 described in reference toFIG. 2 comprises several system components, including one or moreforwarders, indexers, and search heads. In some environments, a user ofa data intake and query system 108 may install and configure, oncomputing devices owned and operated by the user, one or more softwareapplications that implement some or all of these system components. Forexample, a user may install a software application on server computersowned by the user and configure each server to operate as one or more ofa forwarder, an indexer, a search head, etc. This arrangement generallymay be referred to as an “on-premises” solution. That is, the system 108is installed and operates on computing devices directly controlled bythe user of the system. Some users may prefer an on-premises solutionbecause it may provide a greater level of control over the configurationof certain aspects of the system (e.g., security, privacy, standards,controls, etc.). However, other users may instead prefer an arrangementin which the user is not directly responsible for providing and managingthe computing devices upon which various components of system 108operate.

In one embodiment, to provide an alternative to an entirely on-premisesenvironment for system 108, one or more of the components of a dataintake and query system instead may be provided as a cloud-basedservice. In this context, a cloud-based service refers to a servicehosted by one more computing resources that are accessible to end usersover a network, for example, by using a web browser or other applicationon a client device to interface with the remote computing resources. Forexample, a service provider may provide a cloud-based data intake andquery system by managing computing resources configured to implementvarious aspects of the system (e.g., forwarders, indexers, search heads,etc.) and by providing access to the system to end users via a network.Typically, a user may pay a subscription or other fee to use such aservice. Each subscribing user of the cloud-based service may beprovided with an account that enables the user to configure a customizedcloud-based system based on the user's preferences.

FIG. 3 illustrates a block diagram of an example cloud-based data intakeand query system. Similar to the system of FIG. 2, the networkedcomputer system 300 includes input data sources 202 and forwarders 204.These input data sources and forwarders may be in a subscriber's privatecomputing environment. Alternatively, they might be directly managed bythe service provider as part of the cloud service. In the example system300, one or more forwarders 204 and client devices 302 are coupled to acloud-based data intake and query system 306 via one or more networks304. Network 304 broadly represents one or more LANs, WANs, cellularnetworks, intranetworks, internetworks, etc., using any of wired,wireless, terrestrial microwave, satellite links, etc., and may includethe public Internet, and is used by client devices 302 and forwarders204 to access the system 306. Similar to the system of 38, each of theforwarders 204 may be configured to receive data from an input sourceand to forward the data to other components of the system 306 forfurther processing.

In some embodiments, a cloud-based data intake and query system 306 maycomprise a plurality of system instances 308. In general, each systeminstance 308 may include one or more computing resources managed by aprovider of the cloud-based system 306 made available to a particularsubscriber. The computing resources comprising a system instance 308may, for example, include one or more servers or other devicesconfigured to implement one or more forwarders, indexers, search heads,and other components of a data intake and query system, similar tosystem 108. As indicated above, a subscriber may use a web browser orother application of a client device 302 to access a web portal or otherinterface that enables the subscriber to configure an instance 308.

Providing a data intake and query system as described in reference tosystem 108 as a cloud-based service presents a number of challenges.Each of the components of a system 108 (e.g., forwarders, indexers, andsearch heads) may at times refer to various configuration files storedlocally at each component. These configuration files typically mayinvolve some level of user configuration to accommodate particular typesof data a user desires to analyze and to account for other userpreferences. However, in a cloud-based service context, users typicallymay not have direct access to the underlying computing resourcesimplementing the various system components (e.g., the computingresources comprising each system instance 308) and may desire to makesuch configurations indirectly, for example, using one or more web-basedinterfaces. Thus, the techniques and systems described herein forproviding user interfaces that enable a user to configure source typedefinitions are applicable to both on-premises and cloud-based servicecontexts, or some combination thereof (e.g., a hybrid system where bothan on-premises environment, such as SPLUNK® ENTERPRISE, and acloud-based environment, such as SPLUNK CLOUD™, are centrally visible).

2.6. Searching Externally-Archived Data

FIG. 4 shows a block diagram of an example of a data intake and querysystem 108 that provides transparent search facilities for data systemsthat are external to the data intake and query system. Such facilitiesare available in the Splunk® Analytics for Hadoop® system provided bySplunk Inc. of San Francisco, Calif. Splunk® Analytics for Hadoop®represents an analytics platform that enables business and IT teams torapidly explore, analyze, and visualize data in Hadoop® and NoSQL datastores.

The search head 210 of the data intake and query system receives searchrequests from one or more client devices 404 over network connections420. As discussed above, the data intake and query system 108 may residein an enterprise location, in the cloud, etc. FIG. 4 illustrates thatmultiple client devices 404 a, 404 b, . . . , 404 n may communicate withthe data intake and query system 108. The client devices 404 maycommunicate with the data intake and query system using a variety ofconnections. For example, one client device in FIG. 4 is illustrated ascommunicating over an Internet (Web) protocol, another client device isillustrated as communicating via a command line interface, and anotherclient device is illustrated as communicating via a software developerkit (SDK).

The search head 210 analyzes the received search request to identifyrequest parameters. If a search request received from one of the clientdevices 404 references an index maintained by the data intake and querysystem, then the search head 210 connects to one or more indexers 206 ofthe data intake and query system for the index referenced in the requestparameters. That is, if the request parameters of the search requestreference an index, then the search head accesses the data in the indexvia the indexer. The data intake and query system 108 may include one ormore indexers 206, depending on system access resources andrequirements. As described further below, the indexers 206 retrieve datafrom their respective local data stores 208 as specified in the searchrequest. The indexers and their respective data stores can comprise oneor more storage devices and typically reside on the same system, thoughthey may be connected via a local network connection.

If the request parameters of the received search request reference anexternal data collection, which is not accessible to the indexers 206 orunder the management of the data intake and query system, then thesearch head 210 can access the external data collection through anExternal Result Provider (ERP) process 410. An external data collectionmay be referred to as a “virtual index” (plural, “virtual indices”). AnERP process provides an interface through which the search head 210 mayaccess virtual indices.

Thus, a search reference to an index of the system relates to a locallystored and managed data collection. In contrast, a search reference to avirtual index relates to an externally stored and managed datacollection, which the search head may access through one or more ERPprocesses 410, 412. FIG. 4 shows two ERP processes 410, 412 that connectto respective remote (external) virtual indices, which are indicated asa Hadoop or another system 414 (e.g., Amazon S3, Amazon EMR, otherHadoop® Compatible File Systems (HCFS), etc.) and a relational databasemanagement system (RDBMS) 416. Other virtual indices may include otherfile organizations and protocols, such as Structured Query Language(SQL) and the like. The ellipses between the ERP processes 410, 412indicate optional additional ERP processes of the data intake and querysystem 108. An ERP process may be a computer process that is initiatedor spawned by the search head 210 and is executed by the search dataintake and query system 108. Alternatively or additionally, an ERPprocess may be a process spawned by the search head 210 on the same ordifferent host system as the search head 210 resides.

The search head 210 may spawn a single ERP process in response tomultiple virtual indices referenced in a search request, or the searchhead may spawn different ERP processes for different virtual indices.Generally, virtual indices that share common data configurations orprotocols may share ERP processes. For example, all search queryreferences to a Hadoop file system may be processed by the same ERPprocess, if the ERP process is suitably configured. Likewise, all searchquery references to a SQL database may be processed by the same ERPprocess. In addition, the search head may provide a common ERP processfor common external data source types (e.g., a common vendor may utilizea common ERP process, even if the vendor includes different data storagesystem types, such as Hadoop and SQL). Common indexing schemes also maybe handled by common ERP processes, such as flat text files or Weblogfiles.

The search head 210 determines the number of ERP processes to beinitiated via the use of configuration parameters that are included in asearch request message. Generally, there is a one-to-many relationshipbetween an external results provider “family” and ERP processes. Thereis also a one-to-many relationship between an ERP process andcorresponding virtual indices that are referred to in a search request.For example, using RDBMS, assume two independent instances of such asystem by one vendor, such as one RDBMS for production and another RDBMSused for development. In such a situation, it is likely preferable (butoptional) to use two ERP processes to maintain the independent operationas between production and development data. Both of the ERPs, however,will belong to the same family, because the two RDBMS system types arefrom the same vendor.

The ERP processes 410, 412 receive a search request from the search head210. The search head may optimize the received search request forexecution at the respective external virtual index. Alternatively, theERP process may receive a search request as a result of analysisperformed by the search head or by a different system process. The ERPprocesses 410, 412 can communicate with the search head 210 viaconventional input/output routines (e.g., standard in/standard out,etc.). In this way, the ERP process receives the search request from aclient device such that the search request may be efficiently executedat the corresponding external virtual index.

The ERP processes 410, 412 may be implemented as a process of the dataintake and query system. Each ERP process may be provided by the dataintake and query system, or may be provided by process or applicationproviders who are independent of the data intake and query system. Eachrespective ERP process may include an interface application installed ata computer of the external result provider that ensures propercommunication between the search support system and the external resultprovider. The ERP processes 410, 412 generate appropriate searchrequests in the protocol and syntax of the respective virtual indices414, 416, each of which corresponds to the search request received bythe search head 210. Upon receiving search results from theircorresponding virtual indices, the respective ERP process passes theresult to the search head 210, which may return or display the resultsor a processed set of results based on the returned results to therespective client device.

Client devices 404 may communicate with the data intake and query system108 through a network interface 420, e.g., one or more LANs, WANs,cellular networks, intranetworks, and/or internetworks using any ofwired, wireless, terrestrial microwave, satellite links, etc., and mayinclude the public Internet.

The analytics platform utilizing the External Result Provider processdescribed in more detail in U.S. Pat. No. 8,738,629, entitled “ExternalResult Provided Process For Retrieving Data Stored Using A DifferentConfiguration Or Protocol”, issued on 27 May 2014, U.S. Pat. No.8,738,587, entitled “PROCESSING A SYSTEM SEARCH REQUEST BY RETRIEVINGRESULTS FROM BOTH A NATIVE INDEX AND A VIRTUAL INDEX”, issued on 25 Jul.2013, U.S. patent application Ser. No. 14/266,832, entitled “PROCESSINGA SYSTEM SEARCH REQUEST ACROSS DISPARATE DATA COLLECTION SYSTEMS”, filedon 1 May 2014, and U.S. Pat. No. 9,514,189, entitled “PROCESSING ASYSTEM SEARCH REQUEST INCLUDING EXTERNAL DATA SOURCES”, issued on 6 Dec.2016, each of which is hereby incorporated by reference in its entiretyfor all purposes.

2.6.1. ERP Process Features

The ERP processes described above may include two operation modes: astreaming mode and a reporting mode. The ERP processes can operate instreaming mode only, in reporting mode only, or in both modessimultaneously. Operating in both modes simultaneously is referred to asmixed mode operation. In a mixed mode operation, the ERP at some pointcan stop providing the search head with streaming results and onlyprovide reporting results thereafter, or the search head at some pointmay start ignoring streaming results it has been using and only usereporting results thereafter.

The streaming mode returns search results in real time, with minimalprocessing, in response to the search request. The reporting modeprovides results of a search request with processing of the searchresults prior to providing them to the requesting search head, which inturn provides results to the requesting client device. ERP operationwith such multiple modes provides greater performance flexibility withregard to report time, search latency, and resource utilization.

In a mixed mode operation, both streaming mode and reporting mode areoperating simultaneously. The streaming mode results (e.g., the machinedata obtained from the external data source) are provided to the searchhead, which can then process the results data (e.g., break the machinedata into events, timestamp it, filter it, etc.) and integrate theresults data with the results data from other external data sources,and/or from data stores of the search head. The search head performssuch processing and can immediately start returning interim (streamingmode) results to the user at the requesting client device;simultaneously, the search head is waiting for the ERP process toprocess the data it is retrieving from the external data source as aresult of the concurrently executing reporting mode.

In some instances, the ERP process initially operates in a mixed mode,such that the streaming mode operates to enable the ERP quickly toreturn interim results (e.g., some of the machined data or unprocesseddata necessary to respond to a search request) to the search head,enabling the search head to process the interim results and beginproviding to the client or search requester interim results that areresponsive to the query. Meanwhile, in this mixed mode, the ERP alsooperates concurrently in reporting mode, processing portions of machinedata in a manner responsive to the search query. Upon determining thatit has results from the reporting mode available to return to the searchhead, the ERP may halt processing in the mixed mode at that time (orsome later time) by stopping the return of data in streaming mode to thesearch head and switching to reporting mode only. The ERP at this pointstarts sending interim results in reporting mode to the search head,which in turn may then present this processed data responsive to thesearch request to the client or search requester. Typically the searchhead switches from using results from the ERP's streaming mode ofoperation to results from the ERP's reporting mode of operation when thehigher bandwidth results from the reporting mode outstrip the amount ofdata processed by the search head in the streaming mode of ERPoperation.

A reporting mode may have a higher bandwidth because the ERP does nothave to spend time transferring data to the search head for processingall the machine data. In addition, the ERP may optionally direct anotherprocessor to do the processing.

The streaming mode of operation does not need to be stopped to gain thehigher bandwidth benefits of a reporting mode; the search head couldsimply stop using the streaming mode results—and start using thereporting mode results—when the bandwidth of the reporting mode hascaught up with or exceeded the amount of bandwidth provided by thestreaming mode. Thus, a variety of triggers and ways to accomplish asearch head's switch from using streaming mode results to usingreporting mode results may be appreciated by one skilled in the art.

The reporting mode can involve the ERP process (or an external system)performing event breaking, time stamping, filtering of events to matchthe search query request, and calculating statistics on the results. Theuser can request particular types of data, such as if the search queryitself involves types of events, or the search request may ask forstatistics on data, such as on events that meet the search request. Ineither case, the search head understands the query language used in thereceived query request, which may be a proprietary language. Oneexemplary query language is Splunk Processing Language (SPL) developedby the assignee of the application, Splunk Inc. The search headtypically understands how to use that language to obtain data from theindexers, which store data in a format used by the SPLUNK® Enterprisesystem.

The ERP processes support the search head, as the search head is notordinarily configured to understand the format in which data is storedin external data sources such as Hadoop or SQL data systems. Rather, theERP process performs that translation from the query submitted in thesearch support system's native format (e.g., SPL if SPLUNK® ENTERPRISEis used as the search support system) to a search query request formatthat will be accepted by the corresponding external data system. Theexternal data system typically stores data in a different format fromthat of the search support system's native index format, and it utilizesa different query language (e.g., SQL or MapReduce, rather than SPL orthe like).

As noted, the ERP process can operate in the streaming mode alone. Afterthe ERP process has performed the translation of the query request andreceived raw results from the streaming mode, the search head canintegrate the returned data with any data obtained from local datasources (e.g., native to the search support system), other external datasources, and other ERP processes (if such operations were required tosatisfy the terms of the search query). An advantage of mixed modeoperation is that, in addition to streaming mode, the ERP process isalso executing concurrently in reporting mode. Thus, the ERP process(rather than the search head) is processing query results (e.g.,performing event breaking, timestamping, filtering, possibly calculatingstatistics if required to be responsive to the search query request,etc.). It should be apparent to those skilled in the art that additionaltime is needed for the ERP process to perform the processing in such aconfiguration. Therefore, the streaming mode will allow the search headto start returning interim results to the user at the client devicebefore the ERP process can complete sufficient processing to startreturning any search results. The switchover between streaming andreporting mode happens when the ERP process determines that theswitchover is appropriate, such as when the ERP process determines itcan begin returning meaningful results from its reporting mode.

The operation described above illustrates the source of operationallatency: streaming mode has low latency (immediate results) and usuallyhas relatively low bandwidth (fewer results can be returned per unit oftime). In contrast, the concurrently running reporting mode hasrelatively high latency (it has to perform a lot more processing beforereturning any results) and usually has relatively high bandwidth (moreresults can be processed per unit of time). For example, when the ERPprocess does begin returning report results, it returns more processedresults than in the streaming mode, because, e.g., statistics only needto be calculated to be responsive to the search request. That is, theERP process doesn't have to take time to first return machine data tothe search head. As noted, the ERP process could be configured tooperate in streaming mode alone and return just the machine data for thesearch head to process in a way that is responsive to the searchrequest. Alternatively, the ERP process can be configured to operate inthe reporting mode only. Also, the ERP process can be configured tooperate in streaming mode and reporting mode concurrently, as described,with the ERP process stopping the transmission of streaming results tothe search head when the concurrently running reporting mode has caughtup and started providing results. The reporting mode does not requirethe processing of all machine data that is responsive to the searchquery request before the ERP process starts returning results; rather,the reporting mode usually performs processing of chunks of events andreturns the processing results to the search head for each chunk.

For example, an ERP process can be configured to merely return thecontents of a search result file verbatim, with little or no processingof results. That way, the search head performs all processing (such asparsing byte streams into events, filtering, etc.). The ERP process canbe configured to perform additional intelligence, such as analyzing thesearch request and handling all the computation that a native searchindexer process would otherwise perform. In this way, the configured ERPprocess provides greater flexibility in features while operatingaccording to desired preferences, such as response latency and resourcerequirements.

2.7. Data Ingestion

FIG. 5A is a flow chart of an example method that illustrates howindexers process, index, and store data received from forwarders, inaccordance with example embodiments. The data flow illustrated in FIG.5A is provided for illustrative purposes only; those skilled in the artwould understand that one or more of the steps of the processesillustrated in FIG. 5A may be removed or that the ordering of the stepsmay be changed. Furthermore, for the purposes of illustrating a clearexample, one or more particular system components are described in thecontext of performing various operations during each of the data flowstages. For example, a forwarder is described as receiving andprocessing machine data during an input phase; an indexer is describedas parsing and indexing machine data during parsing and indexing phases;and a search head is described as performing a search query during asearch phase. However, other system arrangements and distributions ofthe processing steps across system components may be used.

2.7.1. Input

At block 502, a forwarder receives data from an input source, such as adata source 202 shown in FIG. 2. A forwarder initially may receive thedata as a raw data stream generated by the input source. For example, aforwarder may receive a data stream from a log file generated by anapplication server, from a stream of network data from a network device,or from any other source of data. In some embodiments, a forwarderreceives the raw data and may segment the data stream into “blocks”,possibly of a uniform data size, to facilitate subsequent processingsteps.

At block 504, a forwarder or other system component annotates each blockgenerated from the raw data with one or more metadata fields. Thesemetadata fields may, for example, provide information related to thedata block as a whole and may apply to each event that is subsequentlyderived from the data in the data block. For example, the metadatafields may include separate fields specifying each of a host, a source,and a source type related to the data block. A host field may contain avalue identifying a host name or IP address of a device that generatedthe data. A source field may contain a value identifying a source of thedata, such as a pathname of a file or a protocol and port related toreceived network data. A source type field may contain a valuespecifying a particular source type label for the data. Additionalmetadata fields may also be included during the input phase, such as acharacter encoding of the data, if known, and possibly other values thatprovide information relevant to later processing steps. In someembodiments, a forwarder forwards the annotated data blocks to anothersystem component (typically an indexer) for further processing.

The data intake and query system allows forwarding of data from one dataintake and query instance to another, or even to a third-party system.The data intake and query system can employ different types offorwarders in a configuration.

In some embodiments, a forwarder may contain the essential componentsneeded to forward data. A forwarder can gather data from a variety ofinputs and forward the data to an indexer for indexing and searching. Aforwarder can also tag metadata (e.g., source, source type, host, etc.).

In some embodiments, a forwarder has the capabilities of theaforementioned forwarder as well as additional capabilities. Theforwarder can parse data before forwarding the data (e.g., can associatea time stamp with a portion of data and create an event, etc.) and canroute data based on criteria such as source or type of event. Theforwarder can also index data locally while forwarding the data toanother indexer.

2.7.2. Parsing

At block 506, an indexer receives data blocks from a forwarder andparses the data to organize the data into events. In some embodiments,to organize the data into events, an indexer may determine a source typeassociated with each data block (e.g., by extracting a source type labelfrom the metadata fields associated with the data block, etc.) and referto a source type configuration corresponding to the identified sourcetype. The source type definition may include one or more properties thatindicate to the indexer to automatically determine the boundaries withinthe received data that indicate the portions of machine data for events.In general, these properties may include regular expression-based rulesor delimiter rules where, for example, event boundaries may be indicatedby predefined characters or character strings. These predefinedcharacters may include punctuation marks or other special charactersincluding, for example, carriage returns, tabs, spaces, line breaks,etc. If a source type for the data is unknown to the indexer, an indexermay infer a source type for the data by examining the structure of thedata. Then, the indexer can apply an inferred source type definition tothe data to create the events.

At block 508, the indexer determines a timestamp for each event. Similarto the process for parsing machine data, an indexer may again refer to asource type definition associated with the data to locate one or moreproperties that indicate instructions for determining a timestamp foreach event. The properties may, for example, instruct an indexer toextract a time value from a portion of data for the event, tointerpolate time values based on timestamps associated with temporallyproximate events, to create a timestamp based on a time the portion ofmachine data was received or generated, to use the timestamp of aprevious event, or use any other rules for determining timestamps.

At block 510, the indexer associates with each event one or moremetadata fields including a field containing the timestamp determinedfor the event. In some embodiments, a timestamp may be included in themetadata fields. These metadata fields may include any number of“default fields” that are associated with all events, and may alsoinclude one more custom fields as defined by a user. Similar to themetadata fields associated with the data blocks at block 504, thedefault metadata fields associated with each event may include a host,source, and source type field including or in addition to a fieldstoring the timestamp.

At block 512, an indexer may optionally apply one or moretransformations to data included in the events created at block 506. Forexample, such transformations can include removing a portion of an event(e.g., a portion used to define event boundaries, extraneous charactersfrom the event, other extraneous text, etc.), masking a portion of anevent (e.g., masking a credit card number), removing redundant portionsof an event, etc. The transformations applied to events may, forexample, be specified in one or more configuration files and referencedby one or more source type definitions.

FIG. 5C illustrates an illustrative example of machine data can bestored in a data store in accordance with various disclosed embodiments.In other embodiments, machine data can be stored in a flat file in acorresponding bucket with an associated index file, such as a timeseries index or “TSIDX.” As such, the depiction of machine data andassociated metadata as rows and columns in the table of FIG. 5C ismerely illustrative and is not intended to limit the data format inwhich the machine data and metadata is stored in various embodimentsdescribed herein. In one particular embodiment, machine data can bestored in a compressed or encrypted formatted. In such embodiments, themachine data can be stored with or be associated with data thatdescribes the compression or encryption scheme with which the machinedata is stored. The information about the compression or encryptionscheme can be used to decompress or decrypt the machine data, and anymetadata with which it is stored, at search time.

As mentioned above, certain metadata, e.g., host 536, source 537, sourcetype 538 and timestamps 535 can be generated for each event, andassociated with a corresponding portion of machine data 539 when storingthe event data in a data store, e.g., data store 208. Any of themetadata can be extracted from the corresponding machine data, orsupplied or defined by an entity, such as a user or computer system. Themetadata fields can become part of or stored with the event. Note thatwhile the time-stamp metadata field can be extracted from the raw dataof each event, the values for the other metadata fields may bedetermined by the indexer based on information it receives pertaining tothe source of the data separate from the machine data.

While certain default or user-defined metadata fields can be extractedfrom the machine data for indexing purposes, all the machine data withinan event can be maintained in its original condition. As such, inembodiments in which the portion of machine data included in an event isunprocessed or otherwise unaltered, it is referred to herein as aportion of raw machine data. In other embodiments, the port of machinedata in an event can be processed or otherwise altered. As such, unlesscertain information needs to be removed for some reasons (e.g.extraneous information, confidential information), all the raw machinedata contained in an event can be preserved and saved in its originalform. Accordingly, the data store in which the event records are storedis sometimes referred to as a “raw record data store.” The raw recorddata store contains a record of the raw event data tagged with thevarious default fields.

In FIG. 5C, the first three rows of the table represent events 531, 532,and 533 and are related to a server access log that records requestsfrom multiple clients processed by a server, as indicated by entry of“access.log” in the source column 536.

In the example shown in FIG. 5C, each of the events 531-534 isassociated with a discrete request made from a client device. The rawmachine data generated by the server and extracted from a server accesslog can include the IP address of the client 540, the user id of theperson requesting the document 541, the time the server finishedprocessing the request 542, the request line from the client 543, thestatus code returned by the server to the client 545, the size of theobject returned to the client (in this case, the gif file requested bythe client) 546 and the time spent to serve the request in microseconds544. As seen in FIG. 5C, all the raw machine data retrieved from theserver access log is retained and stored as part of the correspondingevents, 1221, 1222, and 1223 in the data store.

Event 534 is associated with an entry in a server error log, asindicated by “error.log” in the source column 537, that records errorsthat the server encountered when processing a client request. Similar tothe events related to the server access log, all the raw machine data inthe error log file pertaining to event 534 can be preserved and storedas part of the event 534.

Saving minimally processed or unprocessed machine data in a data storeassociated with metadata fields in the manner similar to that shown inFIG. 5C is advantageous because it allows search of all the machine dataat search time instead of searching only previously specified andidentified fields or field-value pairs. As mentioned above, because datastructures used by various embodiments of the present disclosuremaintain the underlying raw machine data and use a late-binding schemafor searching the raw machines data, it enables a user to continueinvestigating and learn valuable insights about the raw data. In otherwords, the user is not compelled to know about all the fields ofinformation that will be needed at data ingestion time. As a user learnsmore about the data in the events, the user can continue to refine thelate-binding schema by defining new extraction rules, or modifying ordeleting existing extraction rules used by the system.

2.7.3. Indexing

At blocks 514 and 516, an indexer can optionally generate a keywordindex to facilitate fast keyword searching for events. To build akeyword index, at block 514, the indexer identifies a set of keywords ineach event. At block 516, the indexer includes the identified keywordsin an index, which associates each stored keyword with referencepointers to events containing that keyword (or to locations withinevents where that keyword is located, other location identifiers, etc.).When an indexer subsequently receives a keyword-based query, the indexercan access the keyword index to quickly identify events containing thekeyword.

In some embodiments, the keyword index may include entries for fieldname-value pairs found in events, where a field name-value pair caninclude a pair of keywords connected by a symbol, such as an equals signor colon. This way, events containing these field name-value pairs canbe quickly located. In some embodiments, fields can automatically begenerated for some or all of the field names of the field name-valuepairs at the time of indexing. For example, if the string“dest=10.0.1.2” is found in an event, a field named “dest” may becreated for the event, and assigned a value of “10.0.1.2”.

At block 518, the indexer stores the events with an associated timestampin a data store 208. Timestamps enable a user to search for events basedon a time range. In some embodiments, the stored events are organizedinto “buckets,” where each bucket stores events associated with aspecific time range based on the timestamps associated with each event.This improves time-based searching, as well as allows for events withrecent timestamps, which may have a higher likelihood of being accessed,to be stored in a faster memory to facilitate faster retrieval. Forexample, buckets containing the most recent events can be stored inflash memory rather than on a hard disk. In some embodiments, eachbucket may be associated with an identifier, a time range, and a sizeconstraint.

Each indexer 206 may be responsible for storing and searching a subsetof the events contained in a corresponding data store 208. Bydistributing events among the indexers and data stores, the indexers cananalyze events for a query in parallel. For example, using map-reducetechniques, each indexer returns partial responses for a subset ofevents to a search head that combines the results to produce an answerfor the query. By storing events in buckets for specific time ranges, anindexer may further optimize the data retrieval process by searchingbuckets corresponding to time ranges that are relevant to a query.

In some embodiments, each indexer has a home directory and a colddirectory. The home directory of an indexer stores hot buckets and warmbuckets, and the cold directory of an indexer stores cold buckets. A hotbucket is a bucket that is capable of receiving and storing events. Awarm bucket is a bucket that can no longer receive events for storagebut has not yet been moved to the cold directory. A cold bucket is abucket that can no longer receive events and may be a bucket that waspreviously stored in the home directory. The home directory may bestored in faster memory, such as flash memory, as events may be activelywritten to the home directory, and the home directory may typicallystore events that are more frequently searched and thus are accessedmore frequently. The cold directory may be stored in slower and/orlarger memory, such as a hard disk, as events are no longer beingwritten to the cold directory, and the cold directory may typicallystore events that are not as frequently searched and thus are accessedless frequently. In some embodiments, an indexer may also have aquarantine bucket that contains events having potentially inaccurateinformation, such as an incorrect time stamp associated with the eventor a time stamp that appears to be an unreasonable time stamp for thecorresponding event. The quarantine bucket may have events from any timerange; as such, the quarantine bucket may always be searched at searchtime. Additionally, an indexer may store old, archived data in a frozenbucket that is not capable of being searched at search time. In someembodiments, a frozen bucket may be stored in slower and/or largermemory, such as a hard disk, and may be stored in offline and/or remotestorage.

Moreover, events and buckets can also be replicated across differentindexers and data stores to facilitate high availability and disasterrecovery as described in U.S. Pat. No. 9,130,971, entitled “Site-BasedSearch Affinity”, issued on 8 Sep. 2015, and in U.S. patent Ser. No.14/266,817, entitled “Multi-Site Clustering”, issued on 1 Sep. 2015,each of which is hereby incorporated by reference in its entirety forall purposes.

FIG. 5B is a block diagram of an example data store 501 that includes adirectory for each index (or partition) that contains a portion of datamanaged by an indexer. FIG. 5B further illustrates details of anembodiment of an inverted index 507B and an event reference array 515associated with inverted index 507B.

The data store 501 can correspond to a data store 208 that stores eventsmanaged by an indexer 206 or can correspond to a different data storeassociated with an indexer 206. In the illustrated embodiment, the datastore 501 includes a _main directory 503 associated with a _main indexand a _test directory 505 associated with a _test index. However, thedata store 501 can include fewer or more directories. In someembodiments, multiple indexes can share a single directory or allindexes can share a common directory. Additionally, although illustratedas a single data store 501, it will be understood that the data store501 can be implemented as multiple data stores storing differentportions of the information shown in FIG. 5B. For example, a singleindex or partition can span multiple directories or multiple datastores, and can be indexed or searched by multiple correspondingindexers.

In the illustrated embodiment of FIG. 5B, the index-specific directories503 and 505 include inverted indexes 507A, 507B and 509A, 509B,respectively. The inverted indexes 507A . . . 507B, and 509A . . . 509Bcan be keyword indexes or field-value pair indexes described hereing andcan include less or more information that depicted in FIG. 5B.

In some embodiments, the inverted index 507A . . . 507B, and 509A . . .509B can correspond to a distinct time-series bucket that is managed bythe indexer 206 and that contains events corresponding to the relevantindex (e.g., _main index, _test index). As such, each inverted index cancorrespond to a particular range of time for an index. Additional files,such as high performance indexes for each time-series bucket of anindex, can also be stored in the same directory as the inverted indexes507A . . . 507B, and 509A . . . 509B. In some embodiments inverted index507A . . . 507B, and 509A . . . 509B can correspond to multipletime-series buckets or inverted indexes 507A . . . 507B, and 509A . . .509B can correspond to a single time-series bucket.

Each inverted index 507A . . . 507B, and 509A . . . 509B can include oneor more entries, such as keyword (or token) entries or field-value pairentries. Furthermore, in certain embodiments, the inverted indexes 507A. . . 507B, and 509A . . . 509B can include additional information, suchas a time range 523 associated with the inverted index or an indexidentifier 525 identifying the index associated with the inverted index507A . . . 507B, and 509A . . . 509B. However, each inverted index 507A. . . 507B, and 509A . . . 509B can include less or more informationthan depicted.

Token entries, such as token entries 511 illustrated in inverted index507B, can include a token 511A (e.g., “error,” “itemID,” etc.) and eventreferences 511B indicative of events that include the token. Forexample, for the token “error,” the corresponding token entry includesthe token “error” and an event reference, or unique identifier, for eachevent stored in the corresponding time-series bucket that includes thetoken “error.” In the illustrated embodiment of FIG. 5B, the error tokenentry includes the identifiers 3, 5, 6, 8, 11, and 12 corresponding toevents managed by the indexer 206 and associated with the index_main 503that are located in the time-series bucket associated with the invertedindex 507B.

In some cases, some token entries can be default entries, automaticallydetermined entries, or user specified entries. In some embodiments, theindexer 206 can identify each word or string in an event as a distincttoken and generate a token entry for it. In some cases, the indexer 206can identify the beginning and ending of tokens based on punctuation,spaces, as described in greater detail herein. In certain cases, theindexer 206 can rely on user input or a configuration file to identifytokens for token entries 511, etc. It will be understood that anycombination of token entries can be included as a default, automaticallydetermined, a or included based on user-specified criteria.

Similarly, field-value pair entries, such as field-value pair entries513 shown in inverted index 507B, can include a field-value pair 513Aand event references 513B indicative of events that include a fieldvalue that corresponds to the field-value pair. For example, for afield-value pair sourcetype::sendmail, a field-value pair entry wouldinclude the field-value pair sourcetype::sendmail and a uniqueidentifier, or event reference, for each event stored in thecorresponding time-series bucket that includes a sendmail sourcetype.

In some cases, the field-value pair entries 513 can be default entries,automatically determined entries, or user specified entries. As anon-limiting example, the field-value pair entries for the fields host,source, sourcetype can be included in the inverted indexes 507A . . .507B, and 509A . . . 509B as a default. As such, all of the invertedindexes 507A . . . 507B, and 509A . . . 509B can include field-valuepair entries for the fields host, source, sourcetype. As yet anothernon-limiting example, the field-value pair entries for the IP_addressfield can be user specified and may only appear in the inverted index507B based on user-specified criteria. As another non-limiting example,as the indexer indexes the events, it can automatically identifyfield-value pairs and create field-value pair entries. For example,based on the indexers review of events, it can identify IP_address as afield in each event and add the IP_address field-value pair entries tothe inverted index 507B. It will be understood that any combination offield-value pair entries can be included as a default, automaticallydetermined, or included based on user-specified criteria.

Each unique identifier 517, or event reference, can correspond to aunique event located in the time series bucket. However, the same eventreference can be located in multiple entries. For example if an eventhas a sourcetype splunkd, host www1 and token “warning,” then the uniqueidentifier for the event will appear in the field-value pair entriessourcetype::splunkd and host::www1, as well as the token entry“warning.” With reference to the illustrated embodiment of FIG. 5B andthe event that corresponds to the event reference 3, the event reference3 is found in the field-value pair entries 513 host::hostA,source::sourceB, sourcetype::sourcetypeA, and IP_address::91.205.189.15indicating that the event corresponding to the event references is fromhostA, sourceB, of sourcetypeA, and includes 91.205.189.15 in the eventdata.

For some fields, the unique identifier is located in only onefield-value pair entry for a particular field. For example, the invertedindex may include four sourcetype field-value pair entries correspondingto four different sourcetypes of the events stored in a bucket (e.g.,sourcetypes: sendmail, splunkd, web_access, and web_service). Withinthose four sourcetype field-value pair entries, an identifier for aparticular event may appear in only one of the field-value pair entries.With continued reference to the example illustrated embodiment of FIG.5B, since the event reference 7 appears in the field-value pair entrysourcetype::sourcetypeA, then it does not appear in the otherfield-value pair entries for the sourcetype field, includingsourcetype::sourcetypeB, sourcetype::sourcetypeC, andsourcetype::sourcetypeD.

The event references 517 can be used to locate the events in thecorresponding bucket. For example, the inverted index can include, or beassociated with, an event reference array 515. The event reference array515 can include an array entry 517 for each event reference in theinverted index 507B. Each array entry 517 can include locationinformation 519 of the event corresponding to the unique identifier(non-limiting example: seek address of the event), a timestamp 521associated with the event, or additional information regarding the eventassociated with the event reference, etc.

For each token entry 511 or field-value pair entry 513, the eventreference 501B or unique identifiers can be listed in chronologicalorder or the value of the event reference can be assigned based onchronological data, such as a timestamp associated with the eventreferenced by the event reference. For example, the event reference 1 inthe illustrated embodiment of FIG. 5B can correspond to thefirst-in-time event for the bucket, and the event reference 12 cancorrespond to the last-in-time event for the bucket. However, the eventreferences can be listed in any order, such as reverse chronologicalorder, ascending order, descending order, or some other order, etc.Further, the entries can be sorted. For example, the entries can besorted alphabetically (collectively or within a particular group), byentry origin (e.g., default, automatically generated, user-specified,etc.), by entry type (e.g., field-value pair entry, token entry, etc.),or chronologically by when added to the inverted index, etc. In theillustrated embodiment of FIG. 5B, the entries are sorted first by entrytype and then alphabetically.

As a non-limiting example of how the inverted indexes 507A . . . 507B,and 509A . . . 509B can be used during a data categorization requestcommand, the indexers can receive filter criteria indicating data thatis to be categorized and categorization criteria indicating how the datais to be categorized. Example filter criteria can include, but is notlimited to, indexes (or partitions), hosts, sources, sourcetypes, timeranges, field identifier, keywords, etc.

Using the filter criteria, the indexer identifies relevant invertedindexes to be searched. For example, if the filter criteria includes aset of partitions, the indexer can identify the inverted indexes storedin the directory corresponding to the particular partition as relevantinverted indexes. Other means can be used to identify inverted indexesassociated with a partition of interest. For example, in someembodiments, the indexer can review an entry in the inverted indexes,such as an index-value pair entry 513 to determine if a particularinverted index is relevant. If the filter criteria does not identify anypartition, then the indexer can identify all inverted indexes managed bythe indexer as relevant inverted indexes.

Similarly, if the filter criteria includes a time range, the indexer canidentify inverted indexes corresponding to buckets that satisfy at leasta portion of the time range as relevant inverted indexes. For example,if the time range is last hour then the indexer can identify allinverted indexes that correspond to buckets storing events associatedwith timestamps within the last hour as relevant inverted indexes.

When used in combination, an index filter criterion specifying one ormore partitions and a time range filter criterion specifying aparticular time range can be used to identify a subset of invertedindexes within a particular directory (or otherwise associated with aparticular partition) as relevant inverted indexes. As such, the indexercan focus the processing to only a subset of the total number ofinverted indexes that the indexer manages.

Once the relevant inverted indexes are identified, the indexer canreview them using any additional filter criteria to identify events thatsatisfy the filter criteria. In some cases, using the known location ofthe directory in which the relevant inverted indexes are located, theindexer can determine that any events identified using the relevantinverted indexes satisfy an index filter criterion. For example, if thefilter criteria includes a partition main, then the indexer candetermine that any events identified using inverted indexes within thepartition main directory (or otherwise associated with the partitionmain) satisfy the index filter criterion.

Furthermore, based on the time range associated with each invertedindex, the indexer can determine that that any events identified using aparticular inverted index satisfies a time range filter criterion. Forexample, if a time range filter criterion is for the last hour and aparticular inverted index corresponds to events within a time range of50 minutes ago to 35 minutes ago, the indexer can determine that anyevents identified using the particular inverted index satisfy the timerange filter criterion. Conversely, if the particular inverted indexcorresponds to events within a time range of 59 minutes ago to 62minutes ago, the indexer can determine that some events identified usingthe particular inverted index may not satisfy the time range filtercriterion.

Using the inverted indexes, the indexer can identify event references(and therefore events) that satisfy the filter criteria. For example, ifthe token “error” is a filter criterion, the indexer can track all eventreferences within the token entry “error.” Similarly, the indexer canidentify other event references located in other token entries orfield-value pair entries that match the filter criteria. The system canidentify event references located in all of the entries identified bythe filter criteria. For example, if the filter criteria include thetoken “error” and field-value pair sourcetype::web_ui, the indexer cantrack the event references found in both the token entry “error” and thefield-value pair entry sourcetype::web_ui. As mentioned previously, insome cases, such as when multiple values are identified for a particularfilter criterion (e.g., multiple sources for a source filter criterion),the system can identify event references located in at least one of theentries corresponding to the multiple values and in all other entriesidentified by the filter criteria. The indexer can determine that theevents associated with the identified event references satisfy thefilter criteria.

In some cases, the indexer can further consult a timestamp associatedwith the event reference to determine whether an event satisfies thefilter criteria. For example, if an inverted index corresponds to a timerange that is partially outside of a time range filter criterion, thenthe indexer can consult a timestamp associated with the event referenceto determine whether the corresponding event satisfies the time rangecriterion. In some embodiments, to identify events that satisfy a timerange, the indexer can review an array, such as the event referencearray 1614 that identifies the time associated with the events.Furthermore, as mentioned above using the known location of thedirectory in which the relevant inverted indexes are located (or otherindex identifier), the indexer can determine that any events identifiedusing the relevant inverted indexes satisfy the index filter criterion.

In some cases, based on the filter criteria, the indexer reviews anextraction rule. In certain embodiments, if the filter criteria includesa field name that does not correspond to a field-value pair entry in aninverted index, the indexer can review an extraction rule, which may belocated in a configuration file, to identify a field that corresponds toa field-value pair entry in the inverted index.

For example, the filter criteria includes a field name “sessionID” andthe indexer determines that at least one relevant inverted index doesnot include a field-value pair entry corresponding to the field namesessionID, the indexer can review an extraction rule that identifies howthe sessionID field is to be extracted from a particular host, source,or sourcetype (implicitly identifying the particular host, source, orsourcetype that includes a sessionID field). The indexer can replace thefield name “sessionID” in the filter criteria with the identified host,source, or sourcetype. In some cases, the field name “sessionID” may beassociated with multiples hosts, sources, or sourcetypes, in which case,all identified hosts, sources, and sourcetypes can be added as filtercriteria. In some cases, the identified host, source, or sourcetype canreplace or be appended to a filter criterion, or be excluded. Forexample, if the filter criteria includes a criterion for source S1 andthe “sessionID” field is found in source S2, the source S2 can replaceS1 in the filter criteria, be appended such that the filter criteriaincludes source S1 and source S2, or be excluded based on the presenceof the filter criterion source S1. If the identified host, source, orsourcetype is included in the filter criteria, the indexer can thenidentify a field-value pair entry in the inverted index that includes afield value corresponding to the identity of the particular host,source, or sourcetype identified using the extraction rule.

Once the events that satisfy the filter criteria are identified, thesystem, such as the indexer 206 can categorize the results based on thecategorization criteria. The categorization criteria can includecategories for grouping the results, such as any combination ofpartition, source, sourcetype, or host, or other categories or fields asdesired.

The indexer can use the categorization criteria to identifycategorization criteria-value pairs or categorization criteria values bywhich to categorize or group the results. The categorizationcriteria-value pairs can correspond to one or more field-value pairentries stored in a relevant inverted index, one or more index-valuepairs based on a directory in which the inverted index is located or anentry in the inverted index (or other means by which an inverted indexcan be associated with a partition), or other criteria-value pair thatidentifies a general category and a particular value for that category.The categorization criteria values can correspond to the value portionof the categorization criteria-value pair.

As mentioned, in some cases, the categorization criteria-value pairs cancorrespond to one or more field-value pair entries stored in therelevant inverted indexes. For example, the categorizationcriteria-value pairs can correspond to field-value pair entries of host,source, and sourcetype (or other field-value pair entry as desired). Forinstance, if there are ten different hosts, four different sources, andfive different sourcetypes for an inverted index, then the invertedindex can include ten host field-value pair entries, four sourcefield-value pair entries, and five sourcetype field-value pair entries.The indexer can use the nineteen distinct field-value pair entries ascategorization criteria-value pairs to group the results.

Specifically, the indexer can identify the location of the eventreferences associated with the events that satisfy the filter criteriawithin the field-value pairs, and group the event references based ontheir location. As such, the indexer can identify the particular fieldvalue associated with the event corresponding to the event reference.For example, if the categorization criteria include host and sourcetype,the host field-value pair entries and sourcetype field-value pairentries can be used as categorization criteria-value pairs to identifythe specific host and sourcetype associated with the events that satisfythe filter criteria.

In addition, as mentioned, categorization criteria-value pairs cancorrespond to data other than the field-value pair entries in therelevant inverted indexes. For example, if partition or index is used asa categorization criterion, the inverted indexes may not includepartition field-value pair entries. Rather, the indexer can identify thecategorization criteria-value pair associated with the partition basedon the directory in which an inverted index is located, information inthe inverted index, or other information that associates the invertedindex with the partition, etc. As such a variety of methods can be usedto identify the categorization criteria-value pairs from thecategorization criteria.

Accordingly based on the categorization criteria (and categorizationcriteria-value pairs), the indexer can generate groupings based on theevents that satisfy the filter criteria. As a non-limiting example, ifthe categorization criteria includes a partition and sourcetype, thenthe groupings can correspond to events that are associated with eachunique combination of partition and sourcetype. For instance, if thereare three different partitions and two different sourcetypes associatedwith the identified events, then the six different groups can be formed,each with a unique partition value-sourcetype value combination.Similarly, if the categorization criteria includes partition,sourcetype, and host and there are two different partitions, threesourcetypes, and five hosts associated with the identified events, thenthe indexer can generate up to thirty groups for the results thatsatisfy the filter criteria. Each group can be associated with a uniquecombination of categorization criteria-value pairs (e.g., uniquecombinations of partition value sourcetype value, and host value).

In addition, the indexer can count the number of events associated witheach group based on the number of events that meet the uniquecombination of categorization criteria for a particular group (or matchthe categorization criteria-value pairs for the particular group). Withcontinued reference to the example above, the indexer can count thenumber of events that meet the unique combination of partition,sourcetype, and host for a particular group.

Each indexer communicates the groupings to the search head. The searchhead can aggregate the groupings from the indexers and provide thegroupings for display. In some cases, the groups are displayed based onat least one of the host, source, sourcetype, or partition associatedwith the groupings. In some embodiments, the search head can furtherdisplay the groups based on display criteria, such as a display order ora sort order as described in greater detail above.

As a non-limiting example and with reference to FIG. 5B, consider arequest received by an indexer 206 that includes the following filtercriteria: keyword=error, partition=_main, time range=3/1/1716:22.00.000-16:28.00.000, sourcetype=sourcetypeC, host=hostB, and thefollowing categorization criteria: source.

Based on the above criteria, the indexer 206 identifies_main directory503 and can ignore_test directory 505 and any other partition-specificdirectories. The indexer determines that inverted partition 507B is arelevant partition based on its location within the _main directory 503and the time range associated with it. For sake of simplicity in thisexample, the indexer 206 determines that no other inverted indexes inthe _main directory 503, such as inverted index 507A satisfy the timerange criterion.

Having identified the relevant inverted index 507B, the indexer reviewsthe token entries 511 and the field-value pair entries 513 to identifyevent references, or events, that satisfy all of the filter criteria.

With respect to the token entries 511, the indexer can review the errortoken entry and identify event references 3, 5, 6, 8, 11, 12, indicatingthat the term “error” is found in the corresponding events. Similarly,the indexer can identify event references 4, 5, 6, 8, 9, 10, 11 in thefield-value pair entry sourcetype::sourcetypeC and event references 2,5, 6, 8, 10, 11 in the field-value pair entry host::hostB. As the filtercriteria did not include a source or an IP_address field-value pair, theindexer can ignore those field-value pair entries.

In addition to identifying event references found in at least one tokenentry or field-value pair entry (e.g., event references 3, 4, 5, 6, 8,9, 10, 11, 12), the indexer can identify events (and corresponding eventreferences) that satisfy the time range criterion using the eventreference array 1614 (e.g., event references 2, 3, 4, 5, 6, 7, 8, 9,10). Using the information obtained from the inverted index 507B(including the event reference array 515), the indexer 206 can identifythe event references that satisfy all of the filter criteria (e.g.,event references 5, 6, 8).

Having identified the events (and event references) that satisfy all ofthe filter criteria, the indexer 206 can group the event referencesusing the received categorization criteria (source). In doing so, theindexer can determine that event references 5 and 6 are located in thefield-value pair entry source::sourceD (or have matching categorizationcriteria-value pairs) and event reference 8 is located in thefield-value pair entry source::sourceC. Accordingly, the indexer cangenerate a sourceC group having a count of one corresponding toreference 8 and a sourceD group having a count of two corresponding toreferences 5 and 6. This information can be communicated to the searchhead. In turn the search head can aggregate the results from the variousindexers and display the groupings. As mentioned above, in someembodiments, the groupings can be displayed based at least in part onthe categorization criteria, including at least one of host, source,sourcetype, or partition.

It will be understood that a change to any of the filter criteria orcategorization criteria can result in different groupings. As a onenon-limiting example, a request received by an indexer 206 that includesthe following filter criteria: partition=_main, time range=3/1/17 3/1/1716:21:20.000-16:28:17.000, and the following categorization criteria:host, source, sourcetype would result in the indexer identifying eventreferences 1-12 as satisfying the filter criteria. The indexer wouldthen generate up to 24 groupings corresponding to the 24 differentcombinations of the categorization criteria-value pairs, including host(hostA, hostB), source (sourceA, sourceB, sourceC, sourceD), andsourcetype (sourcetypeA, sourcetypeB, sourcetypeC). However, as thereare only twelve events identifiers in the illustrated embodiment andsome fall into the same grouping, the indexer generates eight groups andcounts as follows:

-   -   Group 1 (hostA, sourceA, sourcetypeA): 1 (event reference 7)    -   Group 2 (hostA, sourceA, sourcetypeB): 2 (event references 1,        12)    -   Group 3 (hostA, sourceA, sourcetypeC): 1 (event reference 4)    -   Group 4 (hostA, sourceB, sourcetypeA): 1 (event reference 3)    -   Group 5 (hostA, sourceB, sourcetypeC): 1 (event reference 9)    -   Group 6 (hostB, sourceC, sourcetypeA): 1 (event reference 2)    -   Group 7 (hostB, sourceC, sourcetypeC): 2 (event references 8,        11)    -   Group 8 (hostB, sourceD, sourcetypeC): 3 (event references 5, 6,        10)

As noted, each group has a unique combination of categorizationcriteria-value pairs or categorization criteria values. The indexercommunicates the groups to the search head for aggregation with resultsreceived from other indexers. In communicating the groups to the searchhead, the indexer can include the categorization criteria-value pairsfor each group and the count. In some embodiments, the indexer caninclude more or less information. For example, the indexer can includethe event references associated with each group and other identifyinginformation, such as the indexer or inverted index used to identify thegroups.

As another non-limiting examples, a request received by an indexer 206that includes the following filter criteria: partition=_main, timerange=3/1/17 3/1/17 16:21:20.000-16:28:17.000, source=sourceA, sourceD,and keyword=itemID and the following categorization criteria: host,source, sourcetype would result in the indexer identifying eventreferences 4, 7, and 10 as satisfying the filter criteria, and generatethe following groups:

-   -   Group 1 (hostA, sourceA, sourcetypeC): 1 (event reference 4)    -   Group 2 (hostA, sourceA, sourcetypeA): 1 (event reference 7)    -   Group 3 (hostB, sourceD, sourcetypeC): 1 (event references 10)

The indexer communicates the groups to the search head for aggregationwith results received from other indexers. As will be understand thereare myriad ways for filtering and categorizing the events and eventreferences. For example, the indexer can review multiple invertedindexes associated with an partition or review the inverted indexes ofmultiple partitions, and categorize the data using any one or anycombination of partition, host, source, sourcetype, or other category,as desired.

Further, if a user interacts with a particular group, the indexer canprovide additional information regarding the group. For example, theindexer can perform a targeted search or sampling of the events thatsatisfy the filter criteria and the categorization criteria for theselected group, also referred to as the filter criteria corresponding tothe group or filter criteria associated with the group.

In some cases, to provide the additional information, the indexer relieson the inverted index. For example, the indexer can identify the eventreferences associated with the events that satisfy the filter criteriaand the categorization criteria for the selected group and then use theevent reference array 515 to access some or all of the identifiedevents. In some cases, the categorization criteria values orcategorization criteria-value pairs associated with the group becomepart of the filter criteria for the review.

With reference to FIG. 5B for instance, suppose a group is displayedwith a count of six corresponding to event references 4, 5, 6, 8, 10, 11(i.e., event references 4, 5, 6, 8, 10, 11 satisfy the filter criteriaand are associated with matching categorization criteria values orcategorization criteria-value pairs) and a user interacts with the group(e.g., selecting the group, clicking on the group, etc.). In response,the search head communicates with the indexer to provide additionalinformation regarding the group.

In some embodiments, the indexer identifies the event referencesassociated with the group using the filter criteria and thecategorization criteria for the group (e.g., categorization criteriavalues or categorization criteria-value pairs unique to the group).Together, the filter criteria and the categorization criteria for thegroup can be referred to as the filter criteria associated with thegroup. Using the filter criteria associated with the group, the indexeridentifies event references 4, 5, 6, 8, 10, 11.

Based on a sampling criteria, discussed in greater detail above, theindexer can determine that it will analyze a sample of the eventsassociated with the event references 4, 5, 6, 8, 10, 11. For example,the sample can include analyzing event data associated with the eventreferences 5, 8, 10. In some embodiments, the indexer can use the eventreference array 1616 to access the event data associated with the eventreferences 5, 8, 10. Once accessed, the indexer can compile the relevantinformation and provide it to the search head for aggregation withresults from other indexers. By identifying events and sampling eventdata using the inverted indexes, the indexer can reduce the amount ofactual data this is analyzed and the number of events that are accessedin order to generate the summary of the group and provide a response inless time.

2.8. Query Processing

FIG. 6A is a flow diagram of an example method that illustrates how asearch head and indexers perform a search query, in accordance withexample embodiments. At block 602, a search head receives a search queryfrom a client. At block 604, the search head analyzes the search queryto determine what portion(s) of the query can be delegated to indexersand what portions of the query can be executed locally by the searchhead. At block 606, the search head distributes the determined portionsof the query to the appropriate indexers. In some embodiments, a searchhead cluster may take the place of an independent search head where eachsearch head in the search head cluster coordinates with peer searchheads in the search head cluster to schedule jobs, replicate searchresults, update configurations, fulfill search requests, etc. In someembodiments, the search head (or each search head) communicates with amaster node (also known as a cluster master, not shown in FIG. 2) thatprovides the search head with a list of indexers to which the searchhead can distribute the determined portions of the query. The masternode maintains a list of active indexers and can also designate whichindexers may have responsibility for responding to queries over certainsets of events. A search head may communicate with the master nodebefore the search head distributes queries to indexers to discover theaddresses of active indexers.

At block 608, the indexers to which the query was distributed, searchdata stores associated with them for events that are responsive to thequery. To determine which events are responsive to the query, theindexer searches for events that match the criteria specified in thequery. These criteria can include matching keywords or specific valuesfor certain fields. The searching operations at block 608 may use thelate-binding schema to extract values for specified fields from eventsat the time the query is processed. In some embodiments, one or morerules for extracting field values may be specified as part of a sourcetype definition in a configuration file. The indexers may then eithersend the relevant events back to the search head, or use the events todetermine a partial result, and send the partial result back to thesearch head.

At block 610, the search head combines the partial results and/or eventsreceived from the indexers to produce a final result for the query. Insome examples, the results of the query are indicative of performance orsecurity of the IT environment and may help improve the performance ofcomponents in the IT environment. This final result may comprisedifferent types of data depending on what the query requested. Forexample, the results can include a listing of matching events returnedby the query, or some type of visualization of the data from thereturned events. In another example, the final result can include one ormore calculated values derived from the matching events.

The results generated by the system 108 can be returned to a clientusing different techniques. For example, one technique streams resultsor relevant events back to a client in real-time as they are identified.Another technique waits to report the results to the client until acomplete set of results (which may include a set of relevant events or aresult based on relevant events) is ready to return to the client. Yetanother technique streams interim results or relevant events back to theclient in real-time until a complete set of results is ready, and thenreturns the complete set of results to the client. In another technique,certain results are stored as “search jobs” and the client may retrievethe results by referring the search jobs.

The search head can also perform various operations to make the searchmore efficient. For example, before the search head begins execution ofa query, the search head can determine a time range for the query and aset of common keywords that all matching events include. The search headmay then use these parameters to query the indexers to obtain a supersetof the eventual results. Then, during a filtering stage, the search headcan perform field-extraction operations on the superset to produce areduced set of search results. This speeds up queries, which may beparticularly helpful for queries that are performed on a periodic basis.

2.9. Pipelined Search Language

Various embodiments of the present disclosure can be implemented using,or in conjunction with, a pipelined command language. A pipelinedcommand language is a language in which a set of inputs or data isoperated on by a first command in a sequence of commands, and thensubsequent commands in the order they are arranged in the sequence. Suchcommands can include any type of functionality for operating on data,such as retrieving, searching, filtering, aggregating, processing,transmitting, and the like. As described herein, a query can thus beformulated in a pipelined command language and include any number ofordered or unordered commands for operating on data.

Splunk Processing Language (SPL) is an example of a pipelined commandlanguage in which a set of inputs or data is operated on by any numberof commands in a particular sequence. A sequence of commands, or commandsequence, can be formulated such that the order in which the commandsare arranged defines the order in which the commands are applied to aset of data or the results of an earlier executed command. For example,a first command in a command sequence can operate to search or filterfor specific data in particular set of data. The results of the firstcommand can then be passed to another command listed later in thecommand sequence for further processing.

In various embodiments, a query can be formulated as a command sequencedefined in a command line of a search UI. In some embodiments, a querycan be formulated as a sequence of SPL commands. Some or all of the SPLcommands in the sequence of SPL commands can be separated from oneanother by a pipe symbol “|”. In such embodiments, a set of data, suchas a set of events, can be operated on by a first SPL command in thesequence, and then a subsequent SPL command following a pipe symbol “|”after the first SPL command operates on the results produced by thefirst SPL command or other set of data, and so on for any additional SPLcommands in the sequence. As such, a query formulated using SPLcomprises a series of consecutive commands that are delimited by pipe“|” characters. The pipe character indicates to the system that theoutput or result of one command (to the left of the pipe) should be usedas the input for one of the subsequent commands (to the right of thepipe). This enables formulation of queries defined by a pipeline ofsequenced commands that refines or enhances the data at each step alongthe pipeline until the desired results are attained. Accordingly,various embodiments described herein can be implemented with SplunkProcessing Language (SPL) used in conjunction with the SPLUNK®ENTERPRISE system.

While a query can be formulated in many ways, a query can start with asearch command and one or more corresponding search terms at thebeginning of the pipeline. Such search terms can include any combinationof keywords, phrases, times, dates, Boolean expressions, fieldname-fieldvalue pairs, etc. that specify which results should be obtained from anindex. The results can then be passed as inputs into subsequent commandsin a sequence of commands by using, for example, a pipe character. Thesubsequent commands in a sequence can include directives for additionalprocessing of the results once it has been obtained from one or moreindexes. For example, commands may be used to filter unwantedinformation out of the results, extract more information, evaluate fieldvalues, calculate statistics, reorder the results, create an alert,create summary of the results, or perform some type of aggregationfunction. In some embodiments, the summary can include a graph, chart,metric, or other visualization of the data. An aggregation function caninclude analysis or calculations to return an aggregate value, such asan average value, a sum, a maximum value, a root mean square,statistical values, and the like.

Due to its flexible nature, use of a pipelined command language invarious embodiments is advantageous because it can perform “filtering”as well as “processing” functions. In other words, a single query caninclude a search command and search term expressions, as well asdata-analysis expressions. For example, a command at the beginning of aquery can perform a “filtering” step by retrieving a set of data basedon a condition (e.g., records associated with server response times ofless than 1 microsecond). The results of the filtering step can then bepassed to a subsequent command in the pipeline that performs a“processing” step (e.g. calculation of an aggregate value related to thefiltered events such as the average response time of servers withresponse times of less than 1 microsecond). Furthermore, the searchcommand can allow events to be filtered by keyword as well as fieldvalue criteria. For example, a search command can filter out all eventscontaining the word “warning” or filter out all events where a fieldvalue associated with a field “clientip” is “10.0.1.2.”

The results obtained or generated in response to a command in a querycan be considered a set of results data. The set of results data can bepassed from one command to another in any data format. In oneembodiment, the set of result data can be in the form of a dynamicallycreated table. Each command in a particular query can redefine the shapeof the table. In some implementations, an event retrieved from an indexin response to a query can be considered a row with a column for eachfield value. Columns contain basic information about the data and alsomay contain data that has been dynamically extracted at search time.

FIG. 6B provides a visual representation of the manner in which apipelined command language or query operates in accordance with thedisclosed embodiments. The query 630 can be inputted by the user into asearch. The query comprises a search, the results of which are piped totwo commands (namely, command 1 and command 2) that follow the searchstep.

Disk 622 represents the event data in the raw record data store.

When a user query is processed, a search step will precede other queriesin the pipeline in order to generate a set of events at block 640. Forexample, the query can comprise search terms “sourcetype=syslog ERROR”at the front of the pipeline as shown in FIG. 6B. Intermediate resultstable 624 shows fewer rows because it represents the subset of eventsretrieved from the index that matched the search terms“sourcetype=syslog ERROR” from search command 630. By way of furtherexample, instead of a search step, the set of events at the head of thepipeline may be generating by a call to a pre-existing inverted index(as will be explained later).

At block 642, the set of events generated in the first part of the querymay be piped to a query that searches the set of events for field-valuepairs or for keywords. For example, the second intermediate resultstable 626 shows fewer columns, representing the result of the topcommand, “top user” which summarizes the events into a list of the top10 users and displays the user, count, and percentage.

Finally, at block 644, the results of the prior stage can be pipelinedto another stage where further filtering or processing of the data canbe performed, e.g., preparing the data for display purposes, filteringthe data based on a condition, performing a mathematical calculationwith the data, etc. As shown in FIG. 6B, the “fields—percent” part ofcommand 630 removes the column that shows the percentage, thereby,leaving a final results table 628 without a percentage column. Indifferent embodiments, other query languages, such as the StructuredQuery Language (“SQL”), can be used to create a query.

2.10. Field Extraction

The search head 210 allows users to search and visualize eventsgenerated from machine data received from homogenous data sources. Thesearch head 210 also allows users to search and visualize eventsgenerated from machine data received from heterogeneous data sources.The search head 210 includes various mechanisms, which may additionallyreside in an indexer 206, for processing a query. A query language maybe used to create a query, such as any suitable pipelined querylanguage. For example, Splunk Processing Language (SPL) can be utilizedto make a query. SPL is a pipelined search language in which a set ofinputs is operated on by a first command in a command line, and then asubsequent command following the pipe symbol “|” operates on the resultsproduced by the first command, and so on for additional commands. Otherquery languages, such as the Structured Query Language (“SQL”), can beused to create a query.

In response to receiving the search query, search head 210 usesextraction rules to extract values for fields in the events beingsearched. The search head 210 obtains extraction rules that specify howto extract a value for fields from an event. Extraction rules cancomprise regex rules that specify how to extract values for the fieldscorresponding to the extraction rules. In addition to specifying how toextract field values, the extraction rules may also include instructionsfor deriving a field value by performing a function on a characterstring or value retrieved by the extraction rule. For example, anextraction rule may truncate a character string or convert the characterstring into a different data format. In some cases, the query itself canspecify one or more extraction rules.

The search head 210 can apply the extraction rules to events that itreceives from indexers 206. Indexers 206 may apply the extraction rulesto events in an associated data store 208. Extraction rules can beapplied to all the events in a data store or to a subset of the eventsthat have been filtered based on some criteria (e.g., event time stampvalues, etc.). Extraction rules can be used to extract one or morevalues for a field from events by parsing the portions of machine datain the events and examining the data for one or more patterns ofcharacters, numbers, delimiters, etc., that indicate where the fieldbegins and, optionally, ends.

FIG. 7A is a diagram of an example scenario where a common customeridentifier is found among log data received from three disparate datasources, in accordance with example embodiments. In this example, a usersubmits an order for merchandise using a vendor's shopping applicationprogram 701 running on the user's system. In this example, the order wasnot delivered to the vendor's server due to a resource exception at thedestination server that is detected by the middleware code 702. The userthen sends a message to the customer support server 703 to complainabout the order failing to complete. The three systems 701, 702, and 703are disparate systems that do not have a common logging format. Theorder application 701 sends log data 704 to the data intake and querysystem in one format, the middleware code 702 sends error log data 705in a second format, and the support server 703 sends log data 706 in athird format.

Using the log data received at one or more indexers 206 from the threesystems, the vendor can uniquely obtain an insight into user activity,user experience, and system behavior. The search head 210 allows thevendor's administrator to search the log data from the three systemsthat one or more indexers 206 are responsible for searching, therebyobtaining correlated information, such as the order number andcorresponding customer ID number of the person placing the order. Thesystem also allows the administrator to see a visualization of relatedevents via a user interface. The administrator can query the search head210 for customer ID field value matches across the log data from thethree systems that are stored at the one or more indexers 206. Thecustomer ID field value exists in the data gathered from the threesystems, but the customer ID field value may be located in differentareas of the data given differences in the architecture of the systems.There is a semantic relationship between the customer ID field valuesgenerated by the three systems. The search head 210 requests events fromthe one or more indexers 206 to gather relevant events from the threesystems. The search head 210 then applies extraction rules to the eventsin order to extract field values that it can correlate. The search headmay apply a different extraction rule to each set of events from eachsystem when the event format differs among systems. In this example, theuser interface can display to the administrator the events correspondingto the common customer ID field values 707, 708, and 709, therebyproviding the administrator with insight into a customer's experience.

Note that query results can be returned to a client, a search head, orany other system component for further processing. In general, queryresults may include a set of one or more events, a set of one or morevalues obtained from the events, a subset of the values, statisticscalculated based on the values, a report containing the values, avisualization (e.g., a graph or chart) generated from the values, andthe like.

The search system enables users to run queries against the stored datato retrieve events that meet criteria specified in a query, such ascontaining certain keywords or having specific values in defined fields.FIG. 7B illustrates the manner in which keyword searches and fieldsearches are processed in accordance with disclosed embodiments.

If a user inputs a search query into search bar 1401 that includes onlykeywords (also known as “tokens”), e.g., the keyword “error” or“warning”, the query search engine of the data intake and query systemsearches for those keywords directly in the event data 722 stored in theraw record data store. Note that while FIG. 7B only illustrates fourevents, the raw record data store (corresponding to data store 208 inFIG. 2) may contain records for millions of events.

As disclosed above, an indexer can optionally generate a keyword indexto facilitate fast keyword searching for event data. The indexerincludes the identified keywords in an index, which associates eachstored keyword with reference pointers to events containing that keyword(or to locations within events where that keyword is located, otherlocation identifiers, etc.). When an indexer subsequently receives akeyword-based query, the indexer can access the keyword index to quicklyidentify events containing the keyword. For example, if the keyword“HTTP” was indexed by the indexer at index time, and the user searchesfor the keyword “HTTP”, events 713 to 715 will be identified based onthe results returned from the keyword index. As noted above, the indexcontains reference pointers to the events containing the keyword, whichallows for efficient retrieval of the relevant events from the rawrecord data store.

If a user searches for a keyword that has not been indexed by theindexer, the data intake and query system would nevertheless be able toretrieve the events by searching the event data for the keyword in theraw record data store directly as shown in FIG. 7B. For example, if auser searches for the keyword “frank”, and the name “frank” has not beenindexed at index time, the DATA INTAKE AND QUERY system will search theevent data directly and return the first event 713. Note that whetherthe keyword has been indexed at index time or not, in both cases the rawdata with the events 712 is accessed from the raw data record store toservice the keyword search. In the case where the keyword has beenindexed, the index will contain a reference pointer that will allow fora more efficient retrieval of the event data from the data store. If thekeyword has not been indexed, the search engine will need to searchthrough all the records in the data store to service the search.

In most cases, however, in addition to keywords, a user's search willalso include fields. The term “field” refers to a location in the eventdata containing one or more values for a specific data item. Often, afield is a value with a fixed, delimited position on a line, or a nameand value pair, where there is a single value to each field name. Afield can also be multivalued, that is, it can appear more than once inan event and have a different value for each appearance, e.g., emailaddress fields. Fields are searchable by the field name or fieldname-value pairs. Some examples of fields are “clientip” for IPaddresses accessing a web server, or the “From” and “To” fields in emailaddresses.

By way of further example, consider the search, “status=404”. Thissearch query finds events with “status” fields that have a value of“404.” When the search is run, the search engine does not look forevents with any other “status” value. It also does not look for eventscontaining other fields that share “404” as a value. As a result, thesearch returns a set of results that are more focused than if “404” hadbeen used in the search string as part of a keyword search. Note alsothat fields can appear in events as “key=value” pairs such as“user_name=Bob.” But in most cases, field values appear in fixed,delimited positions without identifying keys. For example, the datastore may contain events where the “user name” value always appears byitself after the timestamp as illustrated by the following string:“November 15 09:33:22 johnmedlock.”

The data intake and query system advantageously allows for search timefield extraction. In other words, fields can be extracted from the eventdata at search time using late-binding schema as opposed to at dataingestion time, which was a major limitation of the prior art systems.

In response to receiving the search query, search head 210 usesextraction rules to extract values for the fields associated with afield or fields in the event data being searched. The search head 210obtains extraction rules that specify how to extract a value for certainfields from an event. Extraction rules can comprise regex rules thatspecify how to extract values for the relevant fields. In addition tospecifying how to extract field values, the extraction rules may alsoinclude instructions for deriving a field value by performing a functionon a character string or value retrieved by the extraction rule. Forexample, a transformation rule may truncate a character string, orconvert the character string into a different data format. In somecases, the query itself can specify one or more extraction rules.

FIG. 7B illustrates the manner in which configuration files may be usedto configure custom fields at search time in accordance with thedisclosed embodiments. In response to receiving a search query, the dataintake and query system determines if the query references a “field.”For example, a query may request a list of events where the “clientip”field equals “127.0.0.1.” If the query itself does not specify anextraction rule and if the field is not a metadata field, e.g., time,host, source, source type, etc., then in order to determine anextraction rule, the search engine may, in one or more embodiments, needto locate configuration file 712 during the execution of the search asshown in FIG. 7B.

Configuration file 712 may contain extraction rules for all the variousfields that are not metadata fields, e.g., the “clientip” field. Theextraction rules may be inserted into the configuration file in avariety of ways. In some embodiments, the extraction rules can compriseregular expression rules that are manually entered in by the user.Regular expressions match patterns of characters in text and are usedfor extracting custom fields in text.

In one or more embodiments, as noted above, a field extractor may beconfigured to automatically generate extraction rules for certain fieldvalues in the events when the events are being created, indexed, orstored, or possibly at a later time. In one embodiment, a user may beable to dynamically create custom fields by highlighting portions of asample event that should be extracted as fields using a graphical userinterface. The system would then generate a regular expression thatextracts those fields from similar events and store the regularexpression as an extraction rule for the associated field in theconfiguration file 712.

In some embodiments, the indexers may automatically discover certaincustom fields at index time and the regular expressions for those fieldswill be automatically generated at index time and stored as part ofextraction rules in configuration file 712. For example, fields thatappear in the event data as “key=value” pairs may be automaticallyextracted as part of an automatic field discovery process. Note thatthere may be several other ways of adding field definitions toconfiguration files in addition to the methods discussed herein.

The search head 210 can apply the extraction rules derived fromconfiguration file 1402 to event data that it receives from indexers206. Indexers 206 may apply the extraction rules from the configurationfile to events in an associated data store 208. Extraction rules can beapplied to all the events in a data store, or to a subset of the eventsthat have been filtered based on some criteria (e.g., event time stampvalues, etc.). Extraction rules can be used to extract one or morevalues for a field from events by parsing the event data and examiningthe event data for one or more patterns of characters, numbers,delimiters, etc., that indicate where the field begins and, optionally,ends.

In one more embodiments, the extraction rule in configuration file 712will also need to define the type or set of events that the rule appliesto. Because the raw record data store will contain events from multipleheterogeneous sources, multiple events may contain the same fields indifferent locations because of discrepancies in the format of the datagenerated by the various sources. Furthermore, certain events may notcontain a particular field at all. For example, event 719 also contains“clientip” field, however, the “clientip” field is in a different formatfrom events 713-715. To address the discrepancies in the format andcontent of the different types of events, the configuration file willalso need to specify the set of events that an extraction rule appliesto, e.g., extraction rule 716 specifies a rule for filtering by the typeof event and contains a regular expression for parsing out the fieldvalue. Accordingly, each extraction rule will pertain to only aparticular type of event. If a particular field, e.g., “clientip” occursin multiple events, each of those types of events would need its owncorresponding extraction rule in the configuration file 712 and each ofthe extraction rules would comprise a different regular expression toparse out the associated field value. The most common way to categorizeevents is by source type because events generated by a particular sourcecan have the same format.

The field extraction rules stored in configuration file 712 performsearch-time field extractions. For example, for a query that requests alist of events with source type “access_combined” where the “clientip”field equals “127.0.0.1,” the query search engine would first locate theconfiguration file 712 to retrieve extraction rule 716 that would allowit to extract values associated with the “clientip” field from the eventdata 720 “where the source type is “access_combined. After the“clientip” field has been extracted from all the events comprising the“clientip” field where the source type is “access_combined,” the querysearch engine can then execute the field criteria by performing thecompare operation to filter out the events where the “clientip” fieldequals “127.0.0.1.” In the example shown in FIG. 7B, events 713-715would be returned in response to the user query. In this manner, thesearch engine can service queries containing field criteria in additionto queries containing keyword criteria (as explained above).

The configuration file can be created during indexing. It may either bemanually created by the user or automatically generated with certainpredetermined field extraction rules. As discussed above, the events maybe distributed across several indexers, wherein each indexer may beresponsible for storing and searching a subset of the events containedin a corresponding data store. In a distributed indexer system, eachindexer would need to maintain a local copy of the configuration filethat is synchronized periodically across the various indexers.

The ability to add schema to the configuration file at search timeresults in increased efficiency. A user can create new fields at searchtime and simply add field definitions to the configuration file. As auser learns more about the data in the events, the user can continue torefine the late-binding schema by adding new fields, deleting fields, ormodifying the field extraction rules in the configuration file for usethe next time the schema is used by the system. Because the data intakeand query system maintains the underlying raw data and uses late-bindingschema for searching the raw data, it enables a user to continueinvestigating and learn valuable insights about the raw data long afterdata ingestion time.

The ability to add multiple field definitions to the configuration fileat search time also results in increased flexibility. For example,multiple field definitions can be added to the configuration file tocapture the same field across events generated by different sourcetypes. This allows the data intake and query system to search andcorrelate data across heterogeneous sources flexibly and efficiently.

Further, by providing the field definitions for the queried fields atsearch time, the configuration file 712 allows the record data store 712to be field searchable. In other words, the raw record data store 712can be searched using keywords as well as fields, wherein the fields aresearchable name/value pairings that distinguish one event from anotherand can be defined in configuration file 1402 using extraction rules. Incomparison to a search containing field names, a keyword search does notneed the configuration file and can search the event data directly asshown in FIG. 7B.

It should also be noted that any events filtered out by performing asearch-time field extraction using a configuration file can be furtherprocessed by directing the results of the filtering step to a processingstep using a pipelined search language. Using the prior example, a usercould pipeline the results of the compare step to an aggregate functionby asking the query search engine to count the number of events wherethe “clientip” field equals “127.0.0.1.”

2.11. Example Search Screen

FIG. 8A is an interface diagram of an example user interface for asearch screen 800, in accordance with example embodiments. Search screen800 includes a search bar 802 that accepts user input in the form of asearch string. It also includes a time range picker 812 that enables theuser to specify a time range for the search. For historical searches(e.g., searches based on a particular historical time range), the usercan select a specific time range, or alternatively a relative timerange, such as “today,” “yesterday” or “last week.” For real-timesearches (e.g., searches whose results are based on data received inreal-time), the user can select the size of a preceding time window tosearch for real-time events. Search screen 800 also initially displays a“data summary” dialog as is illustrated in FIG. 8B that enables the userto select different sources for the events, such as by selectingspecific hosts and log files.

After the search is executed, the search screen 800 in FIG. 8A candisplay the results through search results tabs 804, wherein searchresults tabs 804 includes: an “events tab” that displays variousinformation about events returned by the search; a “statistics tab” thatdisplays statistics about the search results; and a “visualization tab”that displays various visualizations of the search results. The eventstab illustrated in FIG. 8A displays a timeline graph 805 thatgraphically illustrates the number of events that occurred in one-hourintervals over the selected time range. The events tab also displays anevents list 808 that enables a user to view the machine data in each ofthe returned events.

The events tab additionally displays a sidebar that is an interactivefield picker 806. The field picker 806 may be displayed to a user inresponse to the search being executed and allows the user to furtheranalyze the search results based on the fields in the events of thesearch results. The field picker 806 includes field names that referencefields present in the events in the search results. The field picker maydisplay any Selected Fields 820 that a user has pre-selected for display(e.g., host, source, sourcetype) and may also display any InterestingFields 822 that the system determines may be interesting to the userbased on pre-specified criteria (e.g., action, bytes, categoryid,clientip, date_hour, date_mday, date_minute, etc.). The field pickeralso provides an option to display field names for all the fieldspresent in the events of the search results using the All Fields control824.

Each field name in the field picker 806 has a value type identifier tothe left of the field name, such as value type identifier 826. A valuetype identifier identifies the type of value for the respective field,such as an “a” for fields that include literal values or a “#” forfields that include numerical values.

Each field name in the field picker also has a unique value count to theright of the field name, such as unique value count 828. The uniquevalue count indicates the number of unique values for the respectivefield in the events of the search results.

Each field name is selectable to view the events in the search resultsthat have the field referenced by that field name. For example, a usercan select the “host” field name, and the events shown in the eventslist 808 will be updated with events in the search results that have thefield that is reference by the field name “host.”

2.12. Data Models

A data model is a hierarchically structured search-time mapping ofsemantic knowledge about one or more datasets. It encodes the domainknowledge used to build a variety of specialized searches of thosedatasets. Those searches, in turn, can be used to generate reports.

A data model is composed of one or more “objects” (or “data modelobjects”) that define or otherwise correspond to a specific set of data.An object is defined by constraints and attributes. An object'sconstraints are search criteria that define the set of events to beoperated on by running a search having that search criteria at the timethe data model is selected. An object's attributes are the set of fieldsto be exposed for operating on that set of events generated by thesearch criteria.

Objects in data models can be arranged hierarchically in parent/childrelationships. Each child object represents a subset of the datasetcovered by its parent object. The top-level objects in data models arecollectively referred to as “root objects.”

Child objects have inheritance. Child objects inherit constraints andattributes from their parent objects and may have additional constraintsand attributes of their own. Child objects provide a way of filteringevents from parent objects. Because a child object may provide anadditional constraint in addition to the constraints it has inheritedfrom its parent object, the dataset it represents may be a subset of thedataset that its parent represents. For example, a first data modelobject may define a broad set of data pertaining to e-mail activitygenerally, and another data model object may define specific datasetswithin the broad dataset, such as a subset of the e-mail data pertainingspecifically to e-mails sent. For example, a user can simply select an“e-mail activity” data model object to access a dataset relating toe-mails generally (e.g., sent or received), or select an “e-mails sent”data model object (or data sub-model object) to access a datasetrelating to e-mails sent.

Because a data model object is defined by its constraints (e.g., a setof search criteria) and attributes (e.g., a set of fields), a data modelobject can be used to quickly search data to identify a set of eventsand to identify a set of fields to be associated with the set of events.For example, an “e-mails sent” data model object may specify a searchfor events relating to e-mails that have been sent, and specify a set offields that are associated with the events. Thus, a user can retrieveand use the “e-mails sent” data model object to quickly search sourcedata for events relating to sent e-mails, and may be provided with alisting of the set of fields relevant to the events in a user interfacescreen.

Examples of data models can include electronic mail, authentication,databases, intrusion detection, malware, application state, alerts,compute inventory, network sessions, network traffic, performance,audits, updates, vulnerabilities, etc. Data models and their objects canbe designed by knowledge managers in an organization, and they canenable downstream users to quickly focus on a specific set of data. Auser iteratively applies a model development tool (not shown in FIG. 8A)to prepare a query that defines a subset of events and assigns an objectname to that subset. A child subset is created by further limiting aquery that generated a parent subset.

Data definitions in associated schemas can be taken from the commoninformation model (CIM) or can be devised for a particular schema andoptionally added to the CIM. Child objects inherit fields from parentsand can include fields not present in parents. A model developer canselect fewer extraction rules than are available for the sourcesreturned by the query that defines events belonging to a model.Selecting a limited set of extraction rules can be a tool forsimplifying and focusing the data model, while allowing a userflexibility to explore the data subset. Development of a data model isfurther explained in U.S. Pat. Nos. 8,788,525 and 8,788,526, bothentitled “DATA MODEL FOR MACHINE DATA FOR SEMANTIC SEARCH”, both issuedon 22 Jul. 2014, U.S. Pat. No. 8,983,994, entitled “GENERATION OF A DATAMODEL FOR SEARCHING MACHINE DATA”, issued on 17 Mar. 2015, U.S. Pat. No.9,128,980, entitled “GENERATION OF A DATA MODEL APPLIED TO QUERIES”,issued on 8 Sep. 2015, and U.S. Pat. No. 9,589,012, entitled “GENERATIONOF A DATA MODEL APPLIED TO OBJECT QUERIES”, issued on 7 Mar. 2017, eachof which is hereby incorporated by reference in its entirety for allpurposes.

A data model can also include reports. One or more report formats can beassociated with a particular data model and be made available to runagainst the data model. A user can use child objects to design reportswith object datasets that already have extraneous data pre-filtered out.In some embodiments, the data intake and query system 108 provides theuser with the ability to produce reports (e.g., a table, chart,visualization, etc.) without having to enter SPL, SQL, or other querylanguage terms into a search screen. Data models are used as the basisfor the search feature.

Data models may be selected in a report generation interface. The reportgenerator supports drag-and-drop organization of fields to be summarizedin a report. When a model is selected, the fields with availableextraction rules are made available for use in the report. The user mayrefine and/or filter search results to produce more precise reports. Theuser may select some fields for organizing the report and select otherfields for providing detail according to the report organization. Forexample, “region” and “salesperson” are fields used for organizing thereport and sales data can be summarized (subtotaled and totaled) withinthis organization. The report generator allows the user to specify oneor more fields within events and apply statistical analysis on valuesextracted from the specified one or more fields. The report generatormay aggregate search results across sets of events and generatestatistics based on aggregated search results. Building reports usingthe report generation interface is further explained in U.S. patentapplication Ser. No. 14/503,335, entitled “GENERATING REPORTS FROMUNSTRUCTURED DATA”, filed on 30 Sep. 2014, and which is herebyincorporated by reference in its entirety for all purposes. Datavisualizations also can be generated in a variety of formats, byreference to the data model. Reports, data visualizations, and datamodel objects can be saved and associated with the data model for futureuse. The data model object may be used to perform searches of otherdata.

FIGS. 9-15 are interface diagrams of example report generation userinterfaces, in accordance with example embodiments. The reportgeneration process may be driven by a predefined data model object, suchas a data model object defined and/or saved via a reporting applicationor a data model object obtained from another source. A user can load asaved data model object using a report editor. For example, the initialsearch query and fields used to drive the report editor may be obtainedfrom a data model object. The data model object that is used to drive areport generation process may define a search and a set of fields. Uponloading of the data model object, the report generation process mayenable a user to use the fields (e.g., the fields defined by the datamodel object) to define criteria for a report (e.g., filters, splitrows/columns, aggregates, etc.) and the search may be used to identifyevents (e.g., to identify events responsive to the search) used togenerate the report. That is, for example, if a data model object isselected to drive a report editor, the graphical user interface of thereport editor may enable a user to define reporting criteria for thereport using the fields associated with the selected data model object,and the events used to generate the report may be constrained to theevents that match, or otherwise satisfy, the search constraints of theselected data model object.

The selection of a data model object for use in driving a reportgeneration may be facilitated by a data model object selectioninterface. FIG. 9 illustrates an example interactive data modelselection graphical user interface 900 of a report editor that displaysa listing of available data models 901. The user may select one of thedata models 902.

FIG. 10 illustrates an example data model object selection graphicaluser interface 1000 that displays available data objects 1001 for theselected data object model 902. The user may select one of the displayeddata model objects 1002 for use in driving the report generationprocess.

Once a data model object is selected by the user, a user interfacescreen 1100 shown in FIG. 11A may display an interactive listing ofautomatic field identification options 1101 based on the selected datamodel object. For example, a user may select one of the threeillustrated options (e.g., the “All Fields” option 1102, the “SelectedFields” option 1103, or the “Coverage” option (e.g., fields with atleast a specified % of coverage) 1104). If the user selects the “AllFields” option 1102, all of the fields identified from the events thatwere returned in response to an initial search query may be selected.That is, for example, all of the fields of the identified data modelobject fields may be selected. If the user selects the “Selected Fields”option 1103, only the fields from the fields of the identified datamodel object fields that are selected by the user may be used. If theuser selects the “Coverage” option 1104, only the fields of theidentified data model object fields meeting a specified coveragecriteria may be selected. A percent coverage may refer to the percentageof events returned by the initial search query that a given fieldappears in. Thus, for example, if an object dataset includes 10,000events returned in response to an initial search query, and the“avg_age” field appears in 854 of those 10,000 events, then the“avg_age” field would have a coverage of 8.54% for that object dataset.If, for example, the user selects the “Coverage” option and specifies acoverage value of 2%, only fields having a coverage value equal to orgreater than 2% may be selected. The number of fields corresponding toeach selectable option may be displayed in association with each option.For example, “97” displayed next to the “All Fields” option 1102indicates that 97 fields will be selected if the “All Fields” option isselected. The “3” displayed next to the “Selected Fields” option 1103indicates that 3 of the 97 fields will be selected if the “SelectedFields” option is selected. The “49” displayed next to the “Coverage”option 1104 indicates that 49 of the 97 fields (e.g., the 49 fieldshaving a coverage of 2% or greater) will be selected if the “Coverage”option is selected. The number of fields corresponding to the “Coverage”option may be dynamically updated based on the specified percent ofcoverage.

FIG. 11B illustrates an example graphical user interface screen 1105displaying the reporting application's “Report Editor” page. The screenmay display interactive elements for defining various elements of areport. For example, the page includes a “Filters” element 1106, a“Split Rows” element 1107, a “Split Columns” element 1108, and a “ColumnValues” element 1109. The page may include a list of search results1111. In this example, the Split Rows element 1107 is expanded,revealing a listing of fields 1110 that can be used to define additionalcriteria (e.g., reporting criteria). The listing of fields 1110 maycorrespond to the selected fields. That is, the listing of fields 1110may list only the fields previously selected, either automaticallyand/or manually by a user. FIG. 11C illustrates a formatting dialogue1112 that may be displayed upon selecting a field from the listing offields 1110. The dialogue can be used to format the display of theresults of the selection (e.g., label the column for the selected fieldto be displayed as “component”).

FIG. 11D illustrates an example graphical user interface screen 1105including a table of results 1113 based on the selected criteriaincluding splitting the rows by the “component” field. A column 1114having an associated count for each component listed in the table may bedisplayed that indicates an aggregate count of the number of times thatthe particular field-value pair (e.g., the value in a row for aparticular field, such as the value “BucketMover” for the field“component”) occurs in the set of events responsive to the initialsearch query.

FIG. 12 illustrates an example graphical user interface screen 1200 thatallows the user to filter search results and to perform statisticalanalysis on values extracted from specific fields in the set of events.In this example, the top ten product names ranked by price are selectedas a filter 1201 that causes the display of the ten most popularproducts sorted by price. Each row is displayed by product name andprice 1202. This results in each product displayed in a column labeled“product name” along with an associated price in a column labeled“price” 1206. Statistical analysis of other fields in the eventsassociated with the ten most popular products have been specified ascolumn values 1203. A count of the number of successful purchases foreach product is displayed in column 1204. These statistics may beproduced by filtering the search results by the product name, findingall occurrences of a successful purchase in a field within the eventsand generating a total of the number of occurrences. A sum of the totalsales is displayed in column 1205, which is a result of themultiplication of the price and the number of successful purchases foreach product.

The reporting application allows the user to create graphicalvisualizations of the statistics generated for a report. For example,FIG. 13 illustrates an example graphical user interface 1300 thatdisplays a set of components and associated statistics 1301. Thereporting application allows the user to select a visualization of thestatistics in a graph (e.g., bar chart, scatter plot, area chart, linechart, pie chart, radial gauge, marker gauge, filler gauge, etc.), wherethe format of the graph may be selected using the user interfacecontrols 1302 along the left panel of the user interface 1300. FIG. 14illustrates an example of a bar chart visualization 1400 of an aspect ofthe statistical data 1301. FIG. 15 illustrates a scatter plotvisualization 1500 of an aspect of the statistical data 1301.

2.13. Acceleration Technique

The above-described system provides significant flexibility by enablinga user to analyze massive quantities of minimally-processed data “on thefly” at search time using a late-binding schema, instead of storingpre-specified portions of the data in a database at ingestion time. Thisflexibility enables a user to see valuable insights, correlate data, andperform subsequent queries to examine interesting aspects of the datathat may not have been apparent at ingestion time.

However, performing extraction and analysis operations at search timecan involve a large amount of data and require a large number ofcomputational operations, which can cause delays in processing thequeries. Advantageously, the data intake and query system also employs anumber of unique acceleration techniques that have been developed tospeed up analysis operations performed at search time. These techniquesinclude: (1) performing search operations in parallel across multipleindexers; (2) using a keyword index; (3) using a high performanceanalytics store; and (4) accelerating the process of generating reports.These novel techniques are described in more detail below.

2.13.1. Aggregation Technique

To facilitate faster query processing, a query can be structured suchthat multiple indexers perform the query in parallel, while aggregationof search results from the multiple indexers is performed locally at thesearch head. For example, FIG. 16 is an example search query receivedfrom a client and executed by search peers, in accordance with exampleembodiments. FIG. 16 illustrates how a search query 1602 received from aclient at a search head 210 can split into two phases, including: (1)subtasks 1604 (e.g., data retrieval or simple filtering) that may beperformed in parallel by indexers 206 for execution, and (2) a searchresults aggregation operation 1606 to be executed by the search headwhen the results are ultimately collected from the indexers.

During operation, upon receiving search query 1602, a search head 210determines that a portion of the operations involved with the searchquery may be performed locally by the search head. The search headmodifies search query 1602 by substituting “stats” (create aggregatestatistics over results sets received from the indexers at the searchhead) with “prestats” (create statistics by the indexer from localresults set) to produce search query 1604, and then distributes searchquery 1604 to distributed indexers, which are also referred to as“search peers” or “peer indexers.” Note that search queries maygenerally specify search criteria or operations to be performed onevents that meet the search criteria. Search queries may also specifyfield names, as well as search criteria for the values in the fields oroperations to be performed on the values in the fields. Moreover, thesearch head may distribute the full search query to the search peers asillustrated in FIG. 6A, or may alternatively distribute a modifiedversion (e.g., a more restricted version) of the search query to thesearch peers. In this example, the indexers are responsible forproducing the results and sending them to the search head. After theindexers return the results to the search head, the search headaggregates the received results 1606 to form a single search result set.By executing the query in this manner, the system effectivelydistributes the computational operations across the indexers whileminimizing data transfers.

2.13.2. Keyword Index

As described above with reference to the flow charts in FIG. 5A and FIG.6A, data intake and query system 108 can construct and maintain one ormore keyword indices to quickly identify events containing specifickeywords. This technique can greatly speed up the processing of queriesinvolving specific keywords. As mentioned above, to build a keywordindex, an indexer first identifies a set of keywords. Then, the indexerincludes the identified keywords in an index, which associates eachstored keyword with references to events containing that keyword, or tolocations within events where that keyword is located. When an indexersubsequently receives a keyword-based query, the indexer can access thekeyword index to quickly identify events containing the keyword.

2.13.3. High Performance Analytics Store

To speed up certain types of queries, some embodiments of system 108create a high performance analytics store, which is referred to as a“summarization table,” that contains entries for specific field-valuepairs. Each of these entries keeps track of instances of a specificvalue in a specific field in the events and includes references toevents containing the specific value in the specific field. For example,an example entry in a summarization table can keep track of occurrencesof the value “94107” in a “ZIP code” field of a set of events and theentry includes references to all of the events that contain the value“94107” in the ZIP code field. This optimization technique enables thesystem to quickly process queries that seek to determine how many eventshave a particular value for a particular field. To this end, the systemcan examine the entry in the summarization table to count instances ofthe specific value in the field without having to go through theindividual events or perform data extractions at search time. Also, ifthe system needs to process all events that have a specific field-valuecombination, the system can use the references in the summarizationtable entry to directly access the events to extract further informationwithout having to search all of the events to find the specificfield-value combination at search time.

In some embodiments, the system maintains a separate summarization tablefor each of the above-described time-specific buckets that stores eventsfor a specific time range. A bucket-specific summarization tableincludes entries for specific field-value combinations that occur inevents in the specific bucket. Alternatively, the system can maintain aseparate summarization table for each indexer. The indexer-specificsummarization table includes entries for the events in a data store thatare managed by the specific indexer. Indexer-specific summarizationtables may also be bucket-specific.

The summarization table can be populated by running a periodic querythat scans a set of events to find instances of a specific field-valuecombination, or alternatively instances of all field-value combinationsfor a specific field. A periodic query can be initiated by a user, orcan be scheduled to occur automatically at specific time intervals. Aperiodic query can also be automatically launched in response to a querythat asks for a specific field-value combination.

In some cases, when the summarization tables may not cover all of theevents that are relevant to a query, the system can use thesummarization tables to obtain partial results for the events that arecovered by summarization tables, but may also have to search throughother events that are not covered by the summarization tables to produceadditional results. These additional results can then be combined withthe partial results to produce a final set of results for the query. Thesummarization table and associated techniques are described in moredetail in U.S. Pat. No. 8,682,925, entitled “Distributed HighPerformance Analytics Store”, issued on 25 Mar. 2014, U.S. Pat. No.9,128,985, entitled “SUPPLEMENTING A HIGH PERFORMANCE ANALYTICS STOREWITH EVALUATION OF INDIVIDUAL EVENTS TO RESPOND TO AN EVENT QUERY”,issued on 8 Sep. 2015, and U.S. patent application Ser. No. 14/815,973,entitled “GENERATING AND STORING SUMMARIZATION TABLES FOR SETS OFSEARCHABLE EVENTS”, filed on 1 Aug. 2015, each of which is herebyincorporated by reference in its entirety for all purposes.

To speed up certain types of queries, e.g., frequently encounteredqueries or computationally intensive queries, some embodiments of system108 create a high performance analytics store, which is referred to as a“summarization table,” (also referred to as a “lexicon” or “invertedindex”) that contains entries for specific field-value pairs. Each ofthese entries keeps track of instances of a specific value in a specificfield in the event data and includes references to events containing thespecific value in the specific field. For example, an example entry inan inverted index can keep track of occurrences of the value “94107” ina “ZIP code” field of a set of events and the entry includes referencesto all of the events that contain the value “94107” in the ZIP codefield. Creating the inverted index data structure avoids needing toincur the computational overhead each time a statistical query needs tobe run on a frequently encountered field-value pair. In order toexpedite queries, in most embodiments, the search engine will employ theinverted index separate from the raw record data store to generateresponses to the received queries.

Note that the term “summarization table” or “inverted index” as usedherein is a data structure that may be generated by an indexer thatincludes at least field names and field values that have been extractedand/or indexed from event records. An inverted index may also includereference values that point to the location(s) in the field searchabledata store where the event records that include the field may be found.Also, an inverted index may be stored using well-know compressiontechniques to reduce its storage size.

Further, note that the term “reference value” (also referred to as a“posting value”) as used herein is a value that references the locationof a source record in the field searchable data store. In someembodiments, the reference value may include additional informationabout each record, such as timestamps, record size, meta-data, or thelike. Each reference value may be a unique identifier which may be usedto access the event data directly in the field searchable data store. Insome embodiments, the reference values may be ordered based on eachevent record's timestamp. For example, if numbers are used asidentifiers, they may be sorted so event records having a latertimestamp always have a lower valued identifier than event records withan earlier timestamp, or vice-versa. Reference values are often includedin inverted indexes for retrieving and/or identifying event records.

In one or more embodiments, an inverted index is generated in responseto a user-initiated collection query. The term “collection query” asused herein refers to queries that include commands that generatesummarization information and inverted indexes (or summarization tables)from event records stored in the field searchable data store.

Note that a collection query is a special type of query that can beuser-generated and is used to create an inverted index. A collectionquery is not the same as a query that is used to call up or invoke apre-existing inverted index. In one or more embodiment, a query cancomprise an initial step that calls up a pre-generated inverted index onwhich further filtering and processing can be performed. For example,referring back to FIG. 13, a set of events generated at block 1320 byeither using a “collection” query to create a new inverted index or bycalling up a pre-generated inverted index. A query with severalpipelined steps will start with a pre-generated index to accelerate thequery.

FIG. 7C illustrates the manner in which an inverted index is created andused in accordance with the disclosed embodiments. As shown in FIG. 7C,an inverted index 722 can be created in response to a user-initiatedcollection query using the event data 723 stored in the raw record datastore. For example, a non-limiting example of a collection query mayinclude “collect clientip=127.0.0.1” which may result in an invertedindex 722 being generated from the event data 723 as shown in FIG. 7C.Each entry in invertex index 722 includes an event reference value thatreferences the location of a source record in the field searchable datastore. The reference value may be used to access the original eventrecord directly from the field searchable data store.

In one or more embodiments, if one or more of the queries is acollection query, the responsive indexers may generate summarizationinformation based on the fields of the event records located in thefield searchable data store. In at least one of the various embodiments,one or more of the fields used in the summarization information may belisted in the collection query and/or they may be determined based onterms included in the collection query. For example, a collection querymay include an explicit list of fields to summarize. Or, in at least oneof the various embodiments, a collection query may include terms orexpressions that explicitly define the fields, e.g., using regex rules.In FIG. 7C, prior to running the collection query that generates theinverted index 722, the field name “clientip” may need to be defined ina configuration file by specifying the “access_combined” source type anda regular expression rule to parse out the client IP address.Alternatively, the collection query may contain an explicit definitionfor the field name “clientip” which may obviate the need to referencethe configuration file at search time.

In one or more embodiments, collection queries may be saved andscheduled to run periodically. These scheduled collection queries mayperiodically update the summarization information corresponding to thequery. For example, if the collection query that generates invertedindex 722 is scheduled to run periodically, one or more indexers wouldperiodically search through the relevant buckets to update invertedindex 722 with event data for any new events with the “clientip” valueof “127.0.0.1.”

In some embodiments, the inverted indexes that include fields, values,and reference value (e.g., inverted index 722) for event records may beincluded in the summarization information provided to the user. In otherembodiments, a user may not be interested in specific fields and valuescontained in the inverted index, but may need to perform a statisticalquery on the data in the inverted index. For example, referencing theexample of FIG. 7C rather than viewing the fields within summarizationtable 722, a user may want to generate a count of all client requestsfrom IP address “127.0.0.1.” In this case, the search engine wouldsimply return a result of “4” rather than including details about theinvertex index 722 in the information provided to the user.

The pipelined search language, e.g., SPL of the SPLUNK® ENTERPRISEsystem can be used to pipe the contents of an inverted index to astatistical query using the “stats” command for example. A “stats” queryrefers to queries that generate result sets that may produce aggregateand statistical results from event records, e.g., average, mean, max,min, rms, etc. Where sufficient information is available in an invertedindex, a “stats” query may generate their result sets rapidly from thesummarization information available in the inverted index rather thandirectly scanning event records. For example, the contents of invertedindex 722 can be pipelined to a stats query, e.g., a “count” functionthat counts the number of entries in the inverted index and returns avalue of “4.” In this way, inverted indexes may enable various statsqueries to be performed absent scanning or search the event records.Accordingly, this optimization technique enables the system to quicklyprocess queries that seek to determine how many events have a particularvalue for a particular field. To this end, the system can examine theentry in the inverted index to count instances of the specific value inthe field without having to go through the individual events or performdata extractions at search time.

In some embodiments, the system maintains a separate inverted index foreach of the above-described time-specific buckets that stores events fora specific time range. A bucket-specific inverted index includes entriesfor specific field-value combinations that occur in events in thespecific bucket. Alternatively, the system can maintain a separateinverted index for each indexer. The indexer-specific inverted indexincludes entries for the events in a data store that are managed by thespecific indexer. Indexer-specific inverted indexes may also bebucket-specific. In at least one or more embodiments, if one or more ofthe queries is a stats query, each indexer may generate a partial resultset from previously generated summarization information. The partialresult sets may be returned to the search head that received the queryand combined into a single result set for the query

As mentioned above, the inverted index can be populated by running aperiodic query that scans a set of events to find instances of aspecific field-value combination, or alternatively instances of allfield-value combinations for a specific field. A periodic query can beinitiated by a user, or can be scheduled to occur automatically atspecific time intervals. A periodic query can also be automaticallylaunched in response to a query that asks for a specific field-valuecombination. In some embodiments, if summarization information is absentfrom an indexer that includes responsive event records, further actionsmay be taken, such as, the summarization information may generated onthe fly, warnings may be provided the user, the collection queryoperation may be halted, the absence of summarization information may beignored, or the like, or combination thereof.

In one or more embodiments, an inverted index may be set up to updatecontinually. For example, the query may ask for the inverted index toupdate its result periodically, e.g., every hour. In such instances, theinverted index may be a dynamic data structure that is regularly updatedto include information regarding incoming events.

In some cases, e.g., where a query is executed before an inverted indexupdates, when the inverted index may not cover all of the events thatare relevant to a query, the system can use the inverted index to obtainpartial results for the events that are covered by inverted index, butmay also have to search through other events that are not covered by theinverted index to produce additional results on the fly. In other words,an indexer would need to search through event data on the data store tosupplement the partial results. These additional results can then becombined with the partial results to produce a final set of results forthe query. Note that in typical instances where an inverted index is notcompletely up to date, the number of events that an indexer would needto search through to supplement the results from the inverted indexwould be relatively small. In other words, the search to get the mostrecent results can be quick and efficient because only a small number ofevent records will be searched through to supplement the informationfrom the inverted index. The inverted index and associated techniquesare described in more detail in U.S. Pat. No. 8,682,925, entitled“Distributed High Performance Analytics Store”, issued on 25 Mar. 2014,U.S. Pat. No. 9,128,985, entitled “SUPPLEMENTING A HIGH PERFORMANCEANALYTICS STORE WITH EVALUATION OF INDIVIDUAL EVENTS TO RESPOND TO ANEVENT QUERY”, filed on 31 Jan. 2014, and U.S. patent application Ser.No. 14/815,973, entitled “STORAGE MEDIUM AND CONTROL DEVICE”, filed on21 Feb. 2014, each of which is hereby incorporated by reference in itsentirety.

2.13.3.1 Extracting Event Data Using Posting

In one or more embodiments, if the system needs to process all eventsthat have a specific field-value combination, the system can use thereferences in the inverted index entry to directly access the events toextract further information without having to search all of the eventsto find the specific field-value combination at search time. In otherwords, the system can use the reference values to locate the associatedevent data in the field searchable data store and extract furtherinformation from those events, e.g., extract further field values fromthe events for purposes of filtering or processing or both.

The information extracted from the event data using the reference valuescan be directed for further filtering or processing in a query using thepipeline search language. The pipelined search language will, in oneembodiment, include syntax that can direct the initial filtering step ina query to an inverted index. In one embodiment, a user would includesyntax in the query that explicitly directs the initial searching orfiltering step to the inverted index.

Referencing the example in FIG. 15, if the user determines that sheneeds the user id fields associated with the client requests from IPaddress “127.0.0.1,” instead of incurring the computational overhead ofperforming a brand new search or re-generating the inverted index withan additional field, the user can generate a query that explicitlydirects or pipes the contents of the already generated inverted index1502 to another filtering step requesting the user ids for the entriesin inverted index 1502 where the server response time is greater than“0.0900” microseconds. The search engine would use the reference valuesstored in inverted index 722 to retrieve the event data from the fieldsearchable data store, filter the results based on the “response time”field values and, further, extract the user id field from the resultingevent data to return to the user. In the present instance, the user ids“frank” and “carlos” would be returned to the user from the generatedresults table 722.

In one embodiment, the same methodology can be used to pipe the contentsof the inverted index to a processing step. In other words, the user isable to use the inverted index to efficiently and quickly performaggregate functions on field values that were not part of the initiallygenerated inverted index. For example, a user may want to determine anaverage object size (size of the requested gif) requested by clientsfrom IP address “127.0.0.1.” In this case, the search engine would againuse the reference values stored in inverted index 722 to retrieve theevent data from the field searchable data store and, further, extractthe object size field values from the associated events 731, 732, 733and 734. Once, the corresponding object sizes have been extracted (i.e.2326, 2900, 2920, and 5000), the average can be computed and returned tothe user.

In one embodiment, instead of explicitly invoking the inverted index ina user-generated query, e.g., by the use of special commands or syntax,the SPLUNK® ENTERPRISE system can be configured to automaticallydetermine if any prior-generated inverted index can be used to expeditea user query. For example, the user's query may request the averageobject size (size of the requested gif) requested by clients from IPaddress “127.0.0.1.” without any reference to or use of inverted index722. The search engine, in this case, would automatically determine thatan inverted index 722 already exists in the system that could expeditethis query. In one embodiment, prior to running any search comprising afield-value pair, for example, a search engine may search though all theexisting inverted indexes to determine if a pre-generated inverted indexcould be used to expedite the search comprising the field-value pair.Accordingly, the search engine would automatically use the pre-generatedinverted index, e.g., index 722 to generate the results without anyuser-involvement that directs the use of the index.

Using the reference values in an inverted index to be able to directlyaccess the event data in the field searchable data store and extractfurther information from the associated event data for further filteringand processing is highly advantageous because it avoids incurring thecomputation overhead of regenerating the inverted index with additionalfields or performing a new search.

The data intake and query system includes one or more forwarders thatreceive raw machine data from a variety of input data sources, and oneor more indexers that process and store the data in one or more datastores. By distributing events among the indexers and data stores, theindexers can analyze events for a query in parallel. In one or moreembodiments, a multiple indexer implementation of the search systemwould maintain a separate and respective inverted index for each of theabove-described time-specific buckets that stores events for a specifictime range. A bucket-specific inverted index includes entries forspecific field-value combinations that occur in events in the specificbucket. As explained above, a search head would be able to correlate andsynthesize data from across the various buckets and indexers.

This feature advantageously expedites searches because instead ofperforming a computationally intensive search in a centrally locatedinverted index that catalogues all the relevant events, an indexer isable to directly search an inverted index stored in a bucket associatedwith the time-range specified in the query. This allows the search to beperformed in parallel across the various indexers. Further, if the queryrequests further filtering or processing to be conducted on the eventdata referenced by the locally stored bucket-specific inverted index,the indexer is able to simply access the event records stored in theassociated bucket for further filtering and processing instead ofneeding to access a central repository of event records, which woulddramatically add to the computational overhead.

In one embodiment, there may be multiple buckets associated with thetime-range specified in a query. If the query is directed to an invertedindex, or if the search engine automatically determines that using aninverted index would expedite the processing of the query, the indexerswill search through each of the inverted indexes associated with thebuckets for the specified time-range. This feature allows the HighPerformance Analytics Store to be scaled easily.

In certain instances, where a query is executed before a bucket-specificinverted index updates, when the bucket-specific inverted index may notcover all of the events that are relevant to a query, the system can usethe bucket-specific inverted index to obtain partial results for theevents that are covered by bucket-specific inverted index, but may alsohave to search through the event data in the bucket associated with thebucket-specific inverted index to produce additional results on the fly.In other words, an indexer would need to search through event datastored in the bucket (that was not yet processed by the indexer for thecorresponding inverted index) to supplement the partial results from thebucket-specific inverted index.

FIG. 7D presents a flowchart illustrating how an inverted index in apipelined search query can be used to determine a set of event data thatcan be further limited by filtering or processing in accordance with thedisclosed embodiments.

At block 742, a query is received by a data intake and query system. Insome embodiments, the query can be receive as a user generated queryentered into search bar of a graphical user search interface. The searchinterface also includes a time range control element that enablesspecification of a time range for the query.

At block 744, an inverted index is retrieved. Note, that the invertedindex can be retrieved in response to an explicit user search commandinputted as part of the user generated query. Alternatively, the searchengine can be configured to automatically use an inverted index if itdetermines that using the inverted index would expedite the servicing ofthe user generated query. Each of the entries in an inverted index keepstrack of instances of a specific value in a specific field in the eventdata and includes references to events containing the specific value inthe specific field. In order to expedite queries, in most embodiments,the search engine will employ the inverted index separate from the rawrecord data store to generate responses to the received queries.

At block 746, the query engine determines if the query contains furtherfiltering and processing steps. If the query contains no furthercommands, then, in one embodiment, summarization information can beprovided to the user at block 754.

If, however, the query does contain further filtering and processingcommands, then at block 750, the query engine determines if the commandsrelate to further filtering or processing of the data extracted as partof the inverted index or whether the commands are directed to using theinverted index as an initial filtering step to further filter andprocess event data referenced by the entries in the inverted index. Ifthe query can be completed using data already in the generated invertedindex, then the further filtering or processing steps, e.g., a “count”number of records function, “average” number of records per hour etc.are performed and the results are provided to the user at block 752.

If, however, the query references fields that are not extracted in theinverted index, then the indexers will access event data pointed to bythe reference values in the inverted index to retrieve any furtherinformation required at block 756. Subsequently, any further filteringor processing steps are performed on the fields extracted directly fromthe event data and the results are provided to the user at step 758.

2.13.4. Accelerating Report Generation

In some embodiments, a data server system such as the data intake andquery system can accelerate the process of periodically generatingupdated reports based on query results. To accelerate this process, asummarization engine automatically examines the query to determinewhether generation of updated reports can be accelerated by creatingintermediate summaries. If reports can be accelerated, the summarizationengine periodically generates a summary covering data obtained during alatest non-overlapping time period. For example, where the query seeksevents meeting a specified criteria, a summary for the time periodincludes only events within the time period that meet the specifiedcriteria. Similarly, if the query seeks statistics calculated from theevents, such as the number of events that match the specified criteria,then the summary for the time period includes the number of events inthe period that match the specified criteria.

In addition to the creation of the summaries, the summarization engineschedules the periodic updating of the report associated with the query.During each scheduled report update, the query engine determines whetherintermediate summaries have been generated covering portions of the timeperiod covered by the report update. If so, then the report is generatedbased on the information contained in the summaries. Also, if additionalevent data has been received and has not yet been summarized, and isrequired to generate the complete report, the query can be run on theseadditional events. Then, the results returned by this query on theadditional events, along with the partial results obtained from theintermediate summaries, can be combined to generate the updated report.This process is repeated each time the report is updated. Alternatively,if the system stores events in buckets covering specific time ranges,then the summaries can be generated on a bucket-by-bucket basis. Notethat producing intermediate summaries can save the work involved inre-running the query for previous time periods, so advantageously onlythe newer events needs to be processed while generating an updatedreport. These report acceleration techniques are described in moredetail in U.S. Pat. No. 8,589,403, entitled “Compressed Journaling InEvent Tracking Files For Metadata Recovery And Replication”, issued on19 Nov. 2013, U.S. Pat. No. 8,412,696, entitled “Real Time Searching AndReporting”, issued on 2 Apr. 2011, and U.S. Pat. Nos. 8,589,375 and8,589,432, both also entitled “REAL TIME SEARCHING AND REPORTING”, bothissued on 19 Nov. 2013, each of which is hereby incorporated byreference in its entirety for all purposes.

2.14. Security Features

The data intake and query system provides various schemas, dashboards,and visualizations that simplify developers' tasks to createapplications with additional capabilities. One such application is thean enterprise security application, such as SPLUNK® ENTERPRISE SECURITY,which performs monitoring and alerting operations and includes analyticsto facilitate identifying both known and unknown security threats basedon large volumes of data stored by the data intake and query system. Theenterprise security application provides the security practitioner withvisibility into security-relevant threats found in the enterpriseinfrastructure by capturing, monitoring, and reporting on data fromenterprise security devices, systems, and applications. Through the useof the data intake and query system searching and reportingcapabilities, the enterprise security application provides a top-downand bottom-up view of an organization's security posture.

The enterprise security application leverages the data intake and querysystem search-time normalization techniques, saved searches, andcorrelation searches to provide visibility into security-relevantthreats and activity and generate notable events for tracking. Theenterprise security application enables the security practitioner toinvestigate and explore the data to find new or unknown threats that donot follow signature-based patterns.

Conventional Security Information and Event Management (SIEM) systemslack the infrastructure to effectively store and analyze large volumesof security-related data. Traditional SIEM systems typically use fixedschemas to extract data from pre-defined security-related fields at dataingestion time and store the extracted data in a relational database.This traditional data extraction process (and associated reduction indata size) that occurs at data ingestion time inevitably hampers futureincident investigations that may need original data to determine theroot cause of a security issue, or to detect the onset of an impendingsecurity threat.

In contrast, the enterprise security application system stores largevolumes of minimally-processed security-related data at ingestion timefor later retrieval and analysis at search time when a live securitythreat is being investigated. To facilitate this data retrieval process,the enterprise security application provides pre-specified schemas forextracting relevant values from the different types of security-relatedevents and enables a user to define such schemas.

The enterprise security application can process many types ofsecurity-related information. In general, this security-relatedinformation can include any information that can be used to identifysecurity threats. For example, the security-related information caninclude network-related information, such as IP addresses, domain names,asset identifiers, network traffic volume, uniform resource locatorstrings, and source addresses. The process of detecting security threatsfor network-related information is further described in U.S. Pat. No.8,826,434, entitled “SECURITY THREAT DETECTION BASED ON INDICATIONS INBIG DATA OF ACCESS TO NEWLY REGISTERED DOMAINS”, issued on 2 Sep. 2014,U.S. Pat. No. 9,215,240, entitled “INVESTIGATIVE AND DYNAMIC DETECTIONOF POTENTIAL SECURITY-THREAT INDICATORS FROM EVENTS IN BIG DATA”, issuedon 15 Dec. 2015, U.S. Pat. No. 9,173,801, entitled “GRAPHIC DISPLAY OFSECURITY THREATS BASED ON INDICATIONS OF ACCESS TO NEWLY REGISTEREDDOMAINS”, issued on 3 Nov. 2015, U.S. Pat. No. 9,248,068, entitled“SECURITY THREAT DETECTION OF NEWLY REGISTERED DOMAINS”, issued on 2Feb. 2016, U.S. Pat. No. 9,426,172, entitled “SECURITY THREAT DETECTIONUSING DOMAIN NAME ACCESSES”, issued on 23 Aug. 2016, and U.S. Pat. No.9,432,396, entitled “SECURITY THREAT DETECTION USING DOMAIN NAMEREGISTRATIONS”, issued on 30 Aug. 2016, each of which is herebyincorporated by reference in its entirety for all purposes.Security-related information can also include malware infection data andsystem configuration information, as well as access control information,such as login/logout information and access failure notifications. Thesecurity-related information can originate from various sources within adata center, such as hosts, virtual machines, storage devices andsensors. The security-related information can also originate fromvarious sources in a network, such as routers, switches, email servers,proxy servers, gateways, firewalls and intrusion-detection systems.

During operation, the enterprise security application facilitatesdetecting “notable events” that are likely to indicate a securitythreat. A notable event represents one or more anomalous incidents, theoccurrence of which can be identified based on one or more events (e.g.,time stamped portions of raw machine data) fulfilling pre-specifiedand/or dynamically-determined (e.g., based on machine-learning) criteriadefined for that notable event. Examples of notable events include therepeated occurrence of an abnormal spike in network usage over a periodof time, a single occurrence of unauthorized access to system, a hostcommunicating with a server on a known threat list, and the like. Thesenotable events can be detected in a number of ways, such as: (1) a usercan notice a correlation in events and can manually identify that acorresponding group of one or more events amounts to a notable event; or(2) a user can define a “correlation search” specifying criteria for anotable event, and every time one or more events satisfy the criteria,the application can indicate that the one or more events correspond to anotable event; and the like. A user can alternatively select apre-defined correlation search provided by the application. Note thatcorrelation searches can be run continuously or at regular intervals(e.g., every hour) to search for notable events. Upon detection, notableevents can be stored in a dedicated “notable events index,” which can besubsequently accessed to generate various visualizations containingsecurity-related information. Also, alerts can be generated to notifysystem operators when important notable events are discovered.

The enterprise security application provides various visualizations toaid in discovering security threats, such as a “key indicators view”that enables a user to view security metrics, such as counts ofdifferent types of notable events. For example, FIG. 17A illustrates anexample key indicators view 1700 that comprises a dashboard, which candisplay a value 1701, for various security-related metrics, such asmalware infections 1702. It can also display a change in a metric value1703, which indicates that the number of malware infections increased by63 during the preceding interval. Key indicators view 1700 additionallydisplays a histogram panel 1704 that displays a histogram of notableevents organized by urgency values, and a histogram of notable eventsorganized by time intervals. This key indicators view is described infurther detail in pending U.S. patent application Ser. No. 13/956,338,entitled “Key Indicators View”, filed on 31 Jul. 2013, and which ishereby incorporated by reference in its entirety for all purposes.

These visualizations can also include an “incident review dashboard”that enables a user to view and act on “notable events.” These notableevents can include: (1) a single event of high importance, such as anyactivity from a known web attacker; or (2) multiple events thatcollectively warrant review, such as a large number of authenticationfailures on a host followed by a successful authentication. For example,FIG. 17B illustrates an example incident review dashboard 1710 thatincludes a set of incident attribute fields 1711 that, for example,enables a user to specify a time range field 1712 for the displayedevents. It also includes a timeline 1713 that graphically illustratesthe number of incidents that occurred in time intervals over theselected time range. It additionally displays an events list 1714 thatenables a user to view a list of all of the notable events that matchthe criteria in the incident attributes fields 1711. To facilitateidentifying patterns among the notable events, each notable event can beassociated with an urgency value (e.g., low, medium, high, critical),which is indicated in the incident review dashboard. The urgency valuefor a detected event can be determined based on the severity of theevent and the priority of the system component associated with theevent.

2.15. Data Center Monitoring

As mentioned above, the data intake and query platform provides variousfeatures that simplify the developers's task to create variousapplications. One such application is a virtual machine monitoringapplication, such as SPLUNK® APP FOR VMWARE® that provides operationalvisibility into granular performance metrics, logs, tasks and events,and topology from hosts, virtual machines and virtual centers. Itempowers administrators with an accurate real-time picture of the healthof the environment, proactively identifying performance and capacitybottlenecks.

Conventional data-center-monitoring systems lack the infrastructure toeffectively store and analyze large volumes of machine-generated data,such as performance information and log data obtained from the datacenter. In conventional data-center-monitoring systems,machine-generated data is typically pre-processed prior to being stored,for example, by extracting pre-specified data items and storing them ina database to facilitate subsequent retrieval and analysis at searchtime. However, the rest of the data is not saved and discarded duringpre-processing.

In contrast, the virtual machine monitoring application stores largevolumes of minimally processed machine data, such as performanceinformation and log data, at ingestion time for later retrieval andanalysis at search time when a live performance issue is beinginvestigated. In addition to data obtained from various log files, thisperformance-related information can include values for performancemetrics obtained through an application programming interface (API)provided as part of the vSphere Hypervisor™ system distributed byVMware, Inc. of Palo Alto, Calif. For example, these performance metricscan include: (1) CPU-related performance metrics; (2) disk-relatedperformance metrics; (3) memory-related performance metrics; (4)network-related performance metrics; (5) energy-usage statistics; (6)data-traffic-related performance metrics; (7) overall systemavailability performance metrics; (8) cluster-related performancemetrics; and (9) virtual machine performance statistics. Suchperformance metrics are described in U.S. patent application Ser. No.14/167,316, entitled “Correlation For User-Selected Time Ranges OfValues For Performance Metrics Of Components In AnInformation-Technology Environment With Log Data From ThatInformation-Technology Environment”, filed on 29 Jan. 2014, and which ishereby incorporated by reference in its entirety for all purposes.

To facilitate retrieving information of interest from performance dataand log files, the virtual machine monitoring application providespre-specified schemas for extracting relevant values from differenttypes of performance-related events, and also enables a user to definesuch schemas.

The virtual machine monitoring application additionally provides variousvisualizations to facilitate detecting and diagnosing the root cause ofperformance problems. For example, one such visualization is a“proactive monitoring tree” that enables a user to easily view andunderstand relationships among various factors that affect theperformance of a hierarchically structured computing system. Thisproactive monitoring tree enables a user to easily navigate thehierarchy by selectively expanding nodes representing various entities(e.g., virtual centers or computing clusters) to view performanceinformation for lower-level nodes associated with lower-level entities(e.g., virtual machines or host systems). Example node-expansionoperations are illustrated in FIG. 17C, wherein nodes 1733 and 1734 areselectively expanded. Note that nodes 1731-1739 can be displayed usingdifferent patterns or colors to represent different performance states,such as a critical state, a warning state, a normal state or anunknown/offline state. The ease of navigation provided by selectiveexpansion in combination with the associated performance-stateinformation enables a user to quickly diagnose the root cause of aperformance problem. The proactive monitoring tree is described infurther detail in U.S. Pat. No. 9,185,007, entitled “PROACTIVEMONITORING TREE WITH SEVERITY STATE SORTING”, issued on 10 Nov. 2015,and U.S. Pat. No. 9,426,045, also entitled “PROACTIVE MONITORING TREEWITH SEVERITY STATE SORTING”, issued on 23 Aug. 2016, each of which ishereby incorporated by reference in its entirety for all purposes.

The virtual machine monitoring application also provides a userinterface that enables a user to select a specific time range and thenview heterogeneous data comprising events, log data, and associatedperformance metrics for the selected time range. For example, the screenillustrated in FIG. 17D displays a listing of recent “tasks and events”and a listing of recent “log entries” for a selected time range above aperformance-metric graph for “average CPU core utilization” for theselected time range. Note that a user is able to operate pull-down menus1742 to selectively display different performance metric graphs for theselected time range. This enables the user to correlate trends in theperformance-metric graph with corresponding event and log data toquickly determine the root cause of a performance problem. This userinterface is described in more detail in U.S. patent application Ser.No. 14/167,316, entitled “Correlation For User-Selected Time Ranges OfValues For Performance Metrics Of Components In AnInformation-Technology Environment With Log Data From ThatInformation-Technology Environment”, filed on 29 Jan. 2014, and which ishereby incorporated by reference in its entirety for all purposes.

2.16. It Service Monitoring

As previously mentioned, the data intake and query platform providesvarious schemas, dashboards and visualizations that make it easy fordevelopers to create applications to provide additional capabilities.One such application is an IT monitoring application, such as SPLUNK® ITSERVICE INTELLIGENCE™, which performs monitoring and alertingoperations. The IT monitoring application also includes analytics tohelp an analyst diagnose the root cause of performance problems based onlarge volumes of data stored by the data intake and query system ascorrelated to the various services an IT organization provides (aservice-centric view). This differs significantly from conventional ITmonitoring systems that lack the infrastructure to effectively store andanalyze large volumes of service-related events. Traditional servicemonitoring systems typically use fixed schemas to extract data frompre-defined fields at data ingestion time, wherein the extracted data istypically stored in a relational database. This data extraction processand associated reduction in data content that occurs at data ingestiontime inevitably hampers future investigations, when all of the originaldata may be needed to determine the root cause of or contributingfactors to a service issue.

In contrast, an IT monitoring application system stores large volumes ofminimally-processed service-related data at ingestion time for laterretrieval and analysis at search time, to perform regular monitoring, orto investigate a service issue. To facilitate this data retrievalprocess, the IT monitoring application enables a user to define an IToperations infrastructure from the perspective of the services itprovides. In this service-centric approach, a service such as corporatee-mail may be defined in terms of the entities employed to provide theservice, such as host machines and network devices. Each entity isdefined to include information for identifying all of the events thatpertains to the entity, whether produced by the entity itself or byanother machine, and considering the many various ways the entity may beidentified in machine data (such as by a URL, an IP address, or machinename). The service and entity definitions can organize events around aservice so that all of the events pertaining to that service can beeasily identified. This capability provides a foundation for theimplementation of Key Performance Indicators.

One or more Key Performance Indicators (KPI's) are defined for a servicewithin the IT monitoring application. Each KPI measures an aspect ofservice performance at a point in time or over a period of time (aspectKPI's). Each KPI is defined by a search query that derives a KPI valuefrom the machine data of events associated with the entities thatprovide the service. Information in the entity definitions may be usedto identify the appropriate events at the time a KPI is defined orwhenever a KPI value is being determined. The KPI values derived overtime may be stored to build a valuable repository of current andhistorical performance information for the service, and the repository,itself, may be subject to search query processing. Aggregate KPIs may bedefined to provide a measure of service performance calculated from aset of service aspect KPI values; this aggregate may even be takenacross defined timeframes and/or across multiple services. A particularservice may have an aggregate KPI derived from substantially all of theaspect KPI's of the service to indicate an overall health score for theservice.

The IT monitoring application facilitates the production of meaningfulaggregate KPI's through a system of KPI thresholds and state values.Different KPI definitions may produce values in different ranges, and sothe same value may mean something very different from one KPI definitionto another. To address this, the IT monitoring application implements atranslation of individual KPI values to a common domain of “state”values. For example, a KPI range of values may be 1-100, or 50-275,while values in the state domain may be ‘critical,’ ‘warning,’ ‘normal,’and ‘informational’. Thresholds associated with a particular KPIdefinition determine ranges of values for that KPI that correspond tothe various state values. In one case, KPI values 95-100 may be set tocorrespond to ‘critical’ in the state domain. KPI values from disparateKPI's can be processed uniformly once they are translated into thecommon state values using the thresholds. For example, “normal 80% ofthe time” can be applied across various KPI's. To provide meaningfulaggregate KPI's, a weighting value can be assigned to each KPI so thatits influence on the calculated aggregate KPI value is increased ordecreased relative to the other KPI's.

One service in an IT environment often impacts, or is impacted by,another service. The IT monitoring application can reflect thesedependencies. For example, a dependency relationship between a corporatee-mail service and a centralized authentication service can be reflectedby recording an association between their respective servicedefinitions. The recorded associations establish a service dependencytopology that informs the data or selection options presented in a GUI,for example. (The service dependency topology is like a “map” showinghow services are connected based on their dependencies.) The servicetopology may itself be depicted in a GUI and may be interactive to allownavigation among related services.

Entity definitions in the IT monitoring application can includeinformational fields that can serve as metadata, implied data fields, orattributed data fields for the events identified by other aspects of theentity definition. Entity definitions in the IT monitoring applicationcan also be created and updated by an import of tabular data (asrepresented in a CSV, another delimited file, or a search query resultset). The import may be GUI-mediated or processed using importparameters from a GUI-based import definition process. Entitydefinitions in the IT monitoring application can also be associated witha service by means of a service definition rule. Processing the ruleresults in the matching entity definitions being associated with theservice definition. The rule can be processed at creation time, andthereafter on a scheduled or on-demand basis. This allows dynamic,rule-based updates to the service definition.

During operation, the IT monitoring application can recognize notableevents that may indicate a service performance problem or othersituation of interest. These notable events can be recognized by a“correlation search” specifying trigger criteria for a notable event:every time KPI values satisfy the criteria, the application indicates anotable event. A severity level for the notable event may also bespecified. Furthermore, when trigger criteria are satisfied, thecorrelation search may additionally or alternatively cause a serviceticket to be created in an IT service management (ITSM) system, such asa systems available from ServiceNow, Inc., of Santa Clara, Calif.

SPLUNK® IT SERVICE INTELLIGENCE™ provides various visualizations builton its service-centric organization of events and the KPI valuesgenerated and collected. Visualizations can be particularly useful formonitoring or investigating service performance. The IT monitoringapplication provides a service monitoring interface suitable as the homepage for ongoing IT service monitoring. The interface is appropriate forsettings such as desktop use or for a wall-mounted display in a networkoperations center (NOC). The interface may prominently display aservices health section with tiles for the aggregate KPI's indicatingoverall health for defined services and a general KPI section with tilesfor KPI's related to individual service aspects. These tiles may displayKPI information in a variety of ways, such as by being colored andordered according to factors like the KPI state value. They also can beinteractive and navigate to visualizations of more detailed KPIinformation.

The IT monitoring application provides a service-monitoring dashboardvisualization based on a user-defined template. The template can includeuser-selectable widgets of varying types and styles to display KPIinformation. The content and the appearance of widgets can responddynamically to changing KPI information. The KPI widgets can appear inconjunction with a background image, user drawing objects, or othervisual elements, that depict the IT operations environment, for example.The KPI widgets or other GUI elements can be interactive so as toprovide navigation to visualizations of more detailed KPI information.

The IT monitoring application provides a visualization showing detailedtime-series information for multiple KPI's in parallel graph lanes. Thelength of each lane can correspond to a uniform time range, while thewidth of each lane may be automatically adjusted to fit the displayedKPI data. Data within each lane may be displayed in a user selectablestyle, such as a line, area, or bar chart. During operation a user mayselect a position in the time range of the graph lanes to activate laneinspection at that point in time. Lane inspection may display anindicator for the selected time across the graph lanes and display theKPI value associated with that point in time for each of the graphlanes. The visualization may also provide navigation to an interface fordefining a correlation search, using information from the visualizationto pre-populate the definition.

The IT monitoring application provides a visualization for incidentreview showing detailed information for notable events. The incidentreview visualization may also show summary information for the notableevents over a time frame, such as an indication of the number of notableevents at each of a number of severity levels. The severity leveldisplay may be presented as a rainbow chart with the warmest colorassociated with the highest severity classification. The incident reviewvisualization may also show summary information for the notable eventsover a time frame, such as the number of notable events occurring withinsegments of the time frame. The incident review visualization maydisplay a list of notable events within the time frame ordered by anynumber of factors, such as time or severity. The selection of aparticular notable event from the list may display detailed informationabout that notable event, including an identification of the correlationsearch that generated the notable event.

The IT monitoring application provides pre-specified schemas forextracting relevant values from the different types of service-relatedevents. It also enables a user to define such schemas.

3.0. Microservice System Overview

FIG. 18 illustrates a gateway application 1850 that proxies HypertextTransfer Protocol (HTTP) requests for different microservices 1890included in a microservice system 1800, in accordance with exampleembodiments. As shown, the microservice system 1800 includes, withoutlimitation, any number of gateway servers 1840, any number of upstreamservers 1880 on which any number of the microservices 1890 areexecuting, a load balancer 1820, any number of rule databases 1830, anda validation service 1870. For explanatory purposes, multiple instancesof like objects are denoted with reference numbers identifying theobject and parenthetical numbers identifying the instance, where needed.

The microservice system 1800 provides services associated with the dataintake and query system 108 via a suite of the microservices 1890 inresponse to incoming Hypertext Transmission Protocol (HTTP) requests1810. As shown, the incoming HTTP request 1810 includes, withoutlimitation, a method 1812, an incoming path 1814, an incoming host 1816,an authorization header 1818, and any amount of additional information.The method 1812 is also referred to herein as the “HTTP method” 1812.The method 1812 may be any method that is supported by the HTTPprotocol. Examples of the method 1812 include, without limitation, GET,POST, PUT, HEAD, DELETE, TRACE, OPTIONS, CONNECT, and PATCH.

Together, the incoming path 1814 and the incoming host 1816 specify aUniform Record Identifier (URI) that is associated with an upstreamservice. As referred to herein, an “upstream service” comprises anyapplication executing on one of the upstream servers 1880. For instance,an upstream service may be one of the microservices 1890, one of thecontainers 1892, a database, a service (e.g., the validation service1870), or the like, executing on the upstream server 1880. Each of theupstream servers 1880 comprises a server that provides services to thegateway server 1840. Accordingly, each of the upstream servers 1880 islocated higher in a hierarchy of servers than the gateway servers 1840.In general, a server that is located higher in the hierarchy of serversmay receive an HTTP request from a server that is located lower in thehierarchy of servers.

For instance, the upstream server 1880(1) is located higher in ahierarchy of servers than the gateway server 1840(1) because theupstream server 1880(1) receives the outgoing HTTP request 1860(1) fromthe gateway server 1840(1). In some embodiments, the forwarder 204 isthe upstream microservice 1890(1) that executes on the upstream server1880(1) as part of the data intake and query system 108. In operation,the gateway application 1850(1) executing on the gateway server 1840(1)could receive the incoming HTTP request 1810(1) from the client device102. The incoming HTTP request 1810(1) could request storage of clientdata. In response, the gateway application 1850(1) could then issue theoutgoing HTTP request 1860(1) that, when received by the forwarder 204,causes the forwarder 204 to store the client data. Accordingly, becausethe upstream server 1880(1) receives the outgoing HTTP request 1860(1)from the gateway server 1840(1), the upstream server 1880(1) isconsidered to be upstream from the gateway server 1840(1).

The authorization header 1818 specifies a user credential that enablesproviders to authenticate and authorize the incoming HTTP request 1810based on an HTTP authentication scheme. In general, the user credentialspecifies a user name and a user password in a format defined by theHTTP authentication scheme. For example, in the “basic HTTPauthentication scheme,” the user name and the user password areconcatenated with a colon and then encoded using base64 to generate theuser credential.

For explanatory purposes only, the microservice 1890(1) is a deployedinstance of the forwarder 240 that is associated with the URI“log-input/events.” The microservice 1890(1) includes, withoutlimitation, two containers 1892. The container 1892 is a first deployedinstance of the indexer 206 that executes as one of the microservices1890 and is associated with the URI “daemon1/raw.” The container 1892(2)is a second deployed instance of the indexer 206 that executes as one ofthe microservices 1890 and is associated with the URI “daemon2/raw.” Themicroservice 1890(2) is a deployed instance of the search head 210 thatis associated with the URI “log-query/events.”

In a conventional microservice system, to provide access to a suite ofmicroservices via HTTP requests, a provider typically identifies theindividual microservices to users. More specifically, for eachmicroservice, the provider supplies one or more associated URIs tousers. For example, the provider could specify that the forwarder 240(x)is associated with the URI “log-inputx/events.” To request storage ofnew data, a user could configure the client device to send an HTTPrequest specifying the URI. Upon receiving the HTTP request, theforwarder 240(x) could perform one or more authentication and/orauthorization operations on the HTTP request to ensure that the HTTPrequest is valid. If the HTTP request is valid, then the forwarder240(x) could store the new data.

One limitation of identifying individual microservices to the users isthat the flexibility to make changes to the suite of microservices istypically constrained by usability concerns. More specifically, when theprovider modifies the number and type of microservices included in thesuite of microservices, the users may be unable to properly requestservices until the provider notifies the users of the modifications.Consequently, to avoid disturbing the users, the provider could bereluctant to make changes to the suite of microservices.

Another limitation of identifying individual microservices to the usersis that each microservice application is required to individuallyimplement any desired authentication and authorization functionality. Asreferred to herein, an instance of a “microservice application” isdeployed to provide a microservice. Embedding authentication andauthorization functionality in each microservice application increasesthe complexity and the time required to develop and maintain themicroservice applications.

3.0.1. Flexible Techniques for Providing Access to a Suite ofMicroservices

To enable the microservice system 1800 to perform actions associatedwith the data intake and query system 108 in a flexible and efficientmanner, the microservice system 1800 includes the gateway application1850. The gateway application 1850 executes on a processor 1812 of thegateway server 1840 and is stored in the memory 1816 of the gatewayserver 1840. Notably, each deployed instance of the gateway application1850 may be a monolithic service, a microservice, a container in which amicroservice executes, etc. The gateway server 1840, the processor 1812,and the memory 1816 may be implemented in any technically feasiblefashion. For example, the gateway server 1840 could be implemented inbare-metal, a cloud computing environment, a distributed computingenvironment, an on-premises computer, a laptop, and so forth. Further,different gateway servers 1840 are not necessarily implemented in thesame fashion.

The processor 1812 may be any instruction execution system, apparatus,or device capable of executing instructions. For example, the processor1812 could comprise a central processing unit (CPU), a graphicsprocessing unit (GPU), a controller, a microcontroller, a state machine,or any combination thereof. The memory 1816 stores content, such assoftware applications and data, for use by the processor 1812. Thememory 1812 may be one or more of a readily available memory, such asrandom access memory (RAM), read only memory (ROM), floppy disk, harddisk, or any other form of digital storage, local or remote.

In some embodiments, a storage (not shown) may supplement or replace thememory 1816. The storage may include any number and type of externalmemories that are accessible to the processor 1812. For example, andwithout limitation, the storage may include a Secure Digital Card, anexternal Flash memory, a portable compact disc read-only memory(CD-ROM), an optical storage device, a magnetic storage device, cloudstorage, other tangible storage media, or any suitable combination ofthe foregoing. Any number of software applications may be provided as anapplication program (or programs) stored on computer readable media suchas a CD-ROM, DVD-ROM, flash memory module, or other tangible storagemedia.

In operation, upon receiving the incoming HTTP request 1810 from one ofthe client devices 210, the load balancer 1820 implements any number andtype of load balancing algorithms to select one of the gatewayapplications 1850. The load balancer 1820 then relays the incoming HTTPrequest 1810 to the selected gateway application 1850. The load balancer1820 is also referred to herein as the load balancing application 1820.For explanatory purposes and as shown, the load balancer 1820 relays theincoming HTTP requests 1810(1) and 1810(2) to the gateway application1850(1).

After receiving the incoming HTTP request 1810, the gateway application1850 interacts with the validation service 1870 to evaluate theauthorization header 1818. More specifically, the gateway application1850 determines whether the incoming HTTP request 1810 is verifiablyvalid (i.e., authentic and authorized). In addition, the gatewayapplication 1850 determines a tenant identifier and a user identifierassociated with the incoming HTTP request 1810.

If the incoming HTTP request 1810 is not verifiably valid, then thegateway application 1850 transmits an HTTP response that specifies anerror code to the client device 102 that issued the incoming HTTPrequest 1810. If, however, the incoming HTTP request 1810 is verifiablyvalid, then the gateway application 1850 identifies the microservice1890 that is to perform the action requested in the incoming HTTPrequest 1810. In general, the gateway application 1850 identifies themicroservice 1890 based on the associated rule database 1830.

As shown, each of the gateway applications 1850 is associated with oneof the rule databases 1830. In alternate embodiments, the microservicesystem 1800 may include any number of the rule databases 1830, and anynumber of the gateway applications 1850 may be associated with each ofthe rule databases 1830. For example, the microservice system 1800 couldinclude ten gateway applications 1850 that are associated with a singlerule database 1830.

In general, the rule database 1830 includes any number of routing rules(not shown in FIG. 18), where each routing rule associates a particularset of values for a set of characteristics of the incoming HTTP request1810 with one of the microservices 1890. In general, each of thecharacteristics reflects information associated with the method 1812 orat least one of the headers included in the incoming HTTP request 1810,such as the authorization header 1818.

For instance, in some embodiments and as described in more detail inconjunction with FIG. 19, the set of characteristics includes the method1812, the path 1814, and the tenant identifier. In some embodiments, oneor more characteristics included in the set of characteristics reflectinformation included in a custom header. For example, a particularprovider could specify the syntax and semantics for a provider-specificheader that is to be included in each of the incoming HTTP requests1810.

After identifying the microservice 1890 that is to perform the actionrequested in the incoming HTTP request 1810, the gateway application1850 generates an outgoing HTTP request 1810. More precisely, thegateway application 1850 generates the outgoing HTTP request 1810 thatrequests the same action as the incoming HTTP request 1810, butspecifies an outgoing host and an outgoing path that are associated withthe identified microservice 1890. Further, the gateway application 1850generates and appends a tenancy header and a user header to the outgoingHTTP request 1860. The tenancy header and the user header specify,respectively, the tenant identifier and the user identifier. Finally,the gateway application 1850 issues the outgoing HTTP request 1860.

In general, upon receiving the outgoing HTTP request 1860(x) derivedfrom the incoming HTTP request 1810(x), the microservice 1890 performsthe action requested in the incoming HTTP request 1810(x). For example,the microservice 1890(1) could perform one or more storage operations tostore data. In another example, the microservice 1890(2) could performone or more search operations to retrieve data Further, the microservice1890 may perform any amount and type of operations based on the tenancyheader and the user header. For example, the microservice 1890(1) coulddetermine whether to forward data to the container 1892(1) or thecontainer 1892(2) based on the tenancy identifier included in thetenancy header.

For explanatory purposes only, both the incoming HTTP request 1810(1)and 1810(2) specify the incoming path 1814 “/v1/events,” the incominghost 1816 “x.com,” and the same authorization header 1818. However, theincoming HTTP request 1810(1) specifies the method 1812 “POST,” and theincoming HTTP request 1810(2) specifies the method 1812 “GET.” Becausethe method 1812 “POST” is associated with providing data, the gatewayapplication 1850 generates the outgoing HTTP request 1860(1) thatconfigures the forwarder 204 to store the provided data. By contrast,because the method 1812 “GET” is associated with retrieving data, thegateway application 1850 generates the outgoing HTTP request 1860(2)that configures the search head 210 to retrieve data.

Advantageously, by automatically determining which microservice 1890 isto perform the action requested in the incoming HTTP request 1810, thegateway application 1850 enables the underlying microservices 1890 toperform actions without exposing the microservices 1890 to users.Further, because the gateway application 1850 does not generate theoutgoing HTTP request 1810(x) unless the incoming HTTP request 1810(x)is verifiably valid, each of the microservices 1890 need not implementauthentication and authorization functionality.

It will be appreciated that the microservice system 1800 shown herein isillustrative and that variations and modifications are possible. Thenumber of and locations of the gateway servers 1840, the gatewayapplication 1850, the rule databases 1830, the microservices 1890, andthe containers 1892 may be modified as desired. Further, the connectiontopology between the various units in the microservice system 1800 mayvary.

The functionality included in any of the applications, services,microservices, containers, and the like may be divided in anytechnically feasible fashion across any number of entities that arelocated in any number of physical locations. For instance, in someembodiments, the gateway application 1850 includes the functionality toperform authentication, authorization, and identification operationsinternally, and the microservice system 1800 does not include thevalidation service 1870.

As a general matter, the techniques described herein are illustrativerather than restrictive, and may be altered without departing from thebroader spirit and scope of the invention. Many modifications andvariations on the functionality provided by any elements included in themicroservice system 1800 will be apparent to those of ordinary skill inthe art without departing from the scope and spirit of the describedembodiments

In particular, any number of the techniques may be implemented whileother techniques may be omitted in any technically feasible fashion thatenables the gateway application 1850 to generate the outgoing HTTPrequest 1860 that specifies the proper microservice 1890. For example,in some embodiments, the gateway application 1850 does not generate andappend the tenancy header and the user header to the outgoing HTTPrequest 1860. In the same or other embodiments, the microservice system1800 does not include the load balancer 1820, and the gatewayapplications 1850 receive the incoming HTTP requests 1810 directly fromthe client devices 102.

Notably, the functionality of the gateway application 1850 is describedin the context of the microservices 1890 and the containers 1892included in the data intake and query system 108 for explanatorypurposes only. In other embodiments the gateway application 1850 mayproxy requests for any number and combination of upstream services(e.g., any number of the microservices 1890, the containers 1892,services, databases, and the like).

3.0.2. Translating Incoming HTTP Requests to Outgoing HTTP Requests

FIG. 19 illustrates a technique for translating the incoming HypertextTransfer Protocol (HTTP) 1810(1) request to the outgoing HTTP request1860(1) via the gateway application 1850 of FIG. 18, in accordance withexample embodiments. For explanatory purposes only, FIG. 19 depicts asequence of events involved in translating the incoming HTTP request1810(1) to the outgoing HTTP request 1860(1) as a series of numberedbubbles.

First, as depicted with the bubble numbered 1, the gateway application1850 receives the incoming HTTP request 1810(1). The incoming requestHTTP 1810(1) specifies the method 1812 “POST,” the incoming path 1814“v1/events,” the incoming host 1816 “x.com,” and the authorizationheader 1916. As shown, the gateway application 1850 includes, withoutlimitation, a validation engine 1940 and a proxy engine 1920.

Second, as depicted with the bubble numbered 2, the validation engine1940 performs authentication, authorization, and/or identificationoperations associated with the incoming HTTP request 1810(1). Morespecifically, the validation engine 1940 determines a user credential1940 associated with the incoming HTTP request 1810(1) based on theauthorization header 1816. The validation engine 1940 then transmits theuser credential 1940 to the validation service 1870.

As shown, the validation service 1870 returns an error flag 1976, atenant identifier (ID) 1972, and a user identifier (ID) 1974. If thevalidation service 1870 is able to verify that the incoming HTTP request1810(1) is valid (i.e., authentic and authorized), then the validationservice 1870 sets the error flag 1976 equal to false. If, however, thevalidation service 1870 is unable to verify that the incoming HTTPrequest 1810(1) is valid, then the validation service 1870 sets theerror flag 1976 equal to true. The tenant identifier 1972 and the useridentifier 1974 specify, respectively, the tenant and the userassociated with the incoming HTTP request 1810(1).

The validation service 1870 may perform any number and type ofauthentication, authorization, and/or identification operations based onthe user credential 1940 to generate the error flag 1976, the tenantidentifier 1972, and the user identifier 1974. In alternate embodiments,the validation engine 1940 and/or the validation service 1870 maygenerate the error flag 1976, the tenant identifier 1972, and the useridentifier 1974 based on any amount and type of information specified inany technically feasible fashion. Notably each of the tenants may beassociated with any number of users, and each user may be associatedwith any number of tenants.

For example, the validation engine 1940 could transmit the usercredential 1940, the method 1810, and the incoming path 1814 to thevalidation service 1870. The validation service 1870 could then performauthentication, authorization, and identification operations based onany number of the user credential 1940, the method 1810, and theincoming path 1814. In the same or other embodiments, for each of theincoming HTTP requests 1810, the validation service 1870 may determinewhether to perform authorization operations based on the method 1810and/or the incoming path 1814. For example, the validation service 1870could be configured to perform authorization operations when the method1812 is equal to “POST,” and not to perform authorization operationswhen the method 1812 is equal to “GET.”

If the error flag 1976 is equal to true, then the validation engine 1940returns an HTTP response indicating an error status to the client device102 that issued the incoming HTTP request 1810(1), and the gatewayapplication 1850 ceases to process the incoming HTTP request 1810(1).If, however, the error flag 1976 is equal to false, then the validationengine 1940 generates a tenancy header 1980 that specifies the tenantidentifier 1972 and a user header 1990 that specifies the useridentifier 1974. The validation engine 1940 may generate the tenancyheader 1980 and the user header 1990 in any technically feasible fashionthat is consistent with an HTTP protocol for headers.

Third, as depicted with the bubble numbered 3, the proxy engine 1920evaluates the incoming HTTP request 1810(1) in conjunction with the ruledatabase 1830 to identify the microservice 1890 that is to perform theaction requested in the incoming HTTP request 1810(1). As shown, therules database 1830 includes, without limitation, any number of routingrules 1950. Each of the routing rules 1950 includes, with limitation, avalue for the method 1812, a value for the incoming path 1814, a tenantlist 1952, and an outgoing URI 1960. The tenant list 1952 specifies anynumber of tenant identifiers 1972. The outgoing URI 1960 is associatedwith one of the microservices 1890 included in the microservice system1800. In alternate embodiments, each of the routing rules 1950 mayspecify a set of values for a set of any number and type ofcharacteristics associated with the incoming HTTP request 1810 in anytechnically feasible fashion.

For a particular routing rule 1950, if the incoming HTTP request 1810(1)includes the specified values for the method 1812 and the incoming path1814, and the associated tenant identifier 1972 is included in thetenant list 1952, then the routing rule 1950 “matches” the incoming HTTPrequest 1810(1). Upon identifying the routing rule 1950 that matches theincoming HTTP request 1810(1), the proxy engine 1920 maps the incomingHTTP request 1810(1) to the outgoing URI 1960 specified in theidentified routing rule 1950. In particular, the proxy engine 1920determines that the microservice 1890(1) associated with the outgoingURI 1960 specified in the identified routing rule 1950 is to perform theaction requested in the incoming HTTP request 1810(1).

As shown, the routing rule 1950(1) maps the incoming HTTP requests 1810that specify the method 1812 “POST,” specify the incoming path 1814“/v1/events,” and are associated with any of the tenant identifiers 1972to the outgoing URI 1960 “log-input/events.” Referring back to FIG. 18,the outgoing URI 1960 “log-input/events” is associated with themicroservice 1890(1) executing an instance of the forwarder 204.

Referring back now to FIG. 19, the routing rule 1950(2) maps theincoming HTTP requests 1810 that specify the method 1812 “GET,” specifythe incoming path 1814 “/v1/events,” and are associated with any of thetenant identifiers 1972 to the outgoing URI 1960 “log-query/events.”Referring back to FIG. 18, the outgoing URI 1960 “log-query/events” isassociated with the microservice 1890(2) executing an instance of thesearch head 210.

Referring back again to FIG. 19, the routing rule 1950(3) maps theincoming HTTP requests 1810 that specify the method 1812 “POST,” specifythe incoming path 1814 “/collector/raw,” and are associated with any ofthe tenant identifiers 1972 in the range 1 through 50 to the outgoingURI 1960 “daemon1/raw.” Referring back to FIG. 18, the outgoing URI 1960“daemon1/raw” is associated with the microservice 1890 that is executingthe indexer 206(1) inside the container 1892(1). Accordingly, therouting rule 1950(3) ensures that the daemon1/raw processes raw datathat is provided by the tenants associated with the tenant identifiers1972(1)-1972(50), and does not process raw data that is provided by anyother tenants. In this fashion, the routing rule 1950(3) enforces amulti-tenancy policy associated with the data intake and query system108.

Referring back once again to FIG. 19, the proxy engine 1920 determinesthat the routing rule 1950(1) matches the incoming HTTP request 1810(1).Consequently, the proxy engine 1920 determines that the microservice1890(1) associated with the outgoing URI 1960 “log-input/events”specified in the routing rule 1950(1) is to perform the action requestedin the incoming HTTP request 1810(1). The proxy engine 1920 thengenerates routing info 1910 based on the outgoing URI 1960. As shown,the routing info 1910 includes, without limitation, an outgoing path1914 and an outgoing path 1916. More precisely, the proxy engine 1920decomposes the URI 1960 “log-input/events” into the outgoing host 1916“log-input” and the outgoing path 1914 “/events” based on a standardizedURI format.

Finally, as depicted with the bubble numbered 4, the gateway application1950 generates the outgoing HTTP request 1860(1) based on the incomingHTTP request 1810(1), the outgoing path 1914, the outgoing host 1916,the tenancy header 1980 and the user header 1990. In general, theoutgoing HTTP request 1860 includes the same content as thecorresponding incoming HTTP request 1810 except that:

-   -   the outgoing HTTP request 1860 specifies the outgoing path 1914        instead of the incoming path 1814 specified in the corresponding        incoming HTTP request 1810;    -   the outgoing HTTP request 1860 specifies the outgoing host 1916        instead of the incoming host 1816 specified in the corresponding        incoming HTTP request 1810; and    -   the outgoing HTTP request 1860 includes two additional headers:        the tenancy header 1980 and the user header 1990.

The gateway application 1950 may generate the outgoing HTTP request1860(1) in any technically feasible fashion. For instance, in someembodiments, the gateway application 1950 copies the incoming HTTPrequest 1810(1) to the outgoing HTTP request 1860(1). The gatewayapplication 1950 then performs replacement operations on the outgoingHTTP request 1860(1) that replace the incoming path 1814 with theoutgoing path 1914 and replace the incoming host 1816 with the outgoinghost 1916. Finally, the gateway application 1950 appends the tenancyheader 1980 and the user header 1990 to the outgoing HTTP request1860(1).

In alternate embodiments, the gateway application 1950 may identify theupstream service that is to perform the action requested in the incomingHTTP request 1810 in any technically feasible fashion based on at leastone of the method 1812 or a header included in the incoming HTTP request1810. Further, the upstream service may be any of a microservice,container, service, or the like that is executing on one of the upstreamservers 1880. The upstream server 1880 may be internal or external tothe microservice system 1800. The gateway application 1850 may generatethe outgoing HTTP request 1860 in any technically feasible fashion thatcauses the identified upstream service, upon receiving the outgoing HTTPrequest 1860, to perform the action requested in the incoming HTTPrequest 1810.

FIG. 20 is a flow diagram of method steps for proxying HTTP requests formicroservices, in accordance with example embodiments. Although themethod steps are described with reference to the systems of FIGS. 1-4and 18-8, persons skilled in the art will understand that any systemconfigured to implement the method steps, in any order, falls within thescope of the present invention.

As shown, a method 2000 begins at step 2002, where the gatewayapplication 1850 receives the incoming HTTP request 1810 associated withthe client device 102. At step 2004, the validation engine 1940determines the user credential 1940 based on the authorization header1818 included in the incoming HTTP request 1810. At step 2006, thevalidation engine 1940 transmits the user credential 1940 to thevalidation service 1870 and, in response, receives the error flag 1976,the tenant identifier 1972, and the user identifier 1974.

At step 2008, the validation engine 1940 determines whether the errorflag 1976 indicates that the validation service 1870 was unable toauthenticate and authorize the incoming HTTP request 1810. If, at step2008, the validation engine 1940 determines that the error flag 1976indicates that the validation service 1870 was unable to authenticateand authorize the incoming HTTP request 1810, then the method 2000proceeds to step 2010. At step 2010, the validation engine 1940transmits an HTTP response specifying an error status to the clientdevice 102 that generated the incoming HTTP request 1810. The method2000 then terminates.

If, however, at step 2008, the validation engine 1940 determines thatthe error flag 1976 indicates that the validation engine 1940 was ableto authenticate and authorize the incoming HTTP request 1810, then themethod 2000 proceeds directly to step 2012. At step 2012, the validationengine 1940 generates the tenancy header 1980 specifying the tenantidentifier 1972 and the user header 1990 specifying the user identifier1974.

At step 2014, the proxy engine 1920 determines the outgoing URI 1960based on the method 1812, the incoming path 1814, and the tenantidentifier 1972. The outgoing URI 1960 is associated with themicroservice 1890 that is to perform the action requested in theincoming HTTP request 1810. In alternate embodiments, the proxy engine1920 may determine the outgoing URI 1960 based on any amount and type ofinformation in any technically feasible fashion. At step 2016, the proxyengine determines the outgoing path 1914 and the outgoing host 1916based on the outgoing URI 1960.

At step 2018, the gateway application 1850 generates the outgoing HTTPrequest 1860 based on the incoming HTTP request 1810, the outgoing path1914, the outgoing host 1916, the tenancy header 1980, and the userheader 1990. At step 2020, the gateway application 1850 issues theoutgoing HTTP request 1860. At step 2022, the microservice 1890associated with the outgoing URI 1960 receives the outgoing HTTP request1860. Notably, the action requested via the outgoing HTTP request 1860matches the action requested via the incoming HTTP request 1810.Consequently, the outgoing HTTP request 1860 causes the microservice1890 associated with the outgoing URI 1960 to perform the actionrequested via the incoming HTTP request 1810.

At step 2024, the gateway application 1850 determines whether thegateway application 1850 is to finish executing (e.g., the gatewayserver 1840 is powering down). If, at step 2024, the gateway application1850 determines that the gateway application 1850 is to continueexecuting, then the method 2000 returns to step 2002, where the gatewayapplication 1850 receives a new incoming HTTP request 1810. If, however,at step 2024, the gateway application 1850 determines that the gatewayapplication 1850 is to finish executing, then the method 2000terminates.

In sum, the disclosed techniques may be implemented to provide access toa suite of upstream services (e.g., microservices) via incoming HTTPrequests. Each incoming HTTP request may include, without limitation, amethod, an incoming path, an incoming host, an authorization header, andany number of additional headers. A load balancer associated with theincoming host receives the incoming HTTP request from a client andrelays the incoming HTTP request to a gateway application. The gatewayapplication may include, without limitation, a validation engine and aproxy engine. The validation engine performs authorization andauthentication operations based on an authorization header included inthe HTTP request to determine whether the HTTP request is valid. If theHTTP request is not valid, then the validation engine returns an HTTPresponse indicating an error code to the client. If, however, the HTTPrequest is valid, then the validation engine determines a tenantidentifier and a user identifier based on the authorization header.Further, the validation engine generates a tenancy header that includesthe tenant identifier and a user header that includes the useridentifier.

Subsequently, the proxy engine evaluates the HTTP request based on arule database, the method, the incoming path, and the tenant identifier.Each routing rule included in the rule database specifies an outgoingURI that is applicable to a different combination of the method, theincoming path, and the tenant identifier. Each outgoing URI isassociated with an upstream service. After identifying the routing rulethat is applicable to the incoming HTTP request, the proxy enginedetermines the outgoing host and the outgoing path based on the outgoingURI included in the identified routing rule. The gateway applicationthen modifies the incoming HTTP request to generate an outgoing HTTPrequest based on the outgoing host, the outgoing path, the tenancyheader, and the user header. In some embodiments, the gatewayapplication copies the incoming HTTP request to create the outgoing HTTPrequest. The proxy engine replaces the incoming host and the incomingpath included in the outgoing HTTP request with, respectively, theoutgoing host and the outgoing path. The gateway application thenappends the tenancy header and the user header to the outgoing HTTPrequest.

Finally, the gateway application issues the outgoing request HTTPrequest. Upon receiving the outgoing HTTP request, the proper upstreamservice performs one or more operations as per the incoming HTTPrequest.

Advantageously, the gateway application reduces the inflexibility andcomplexity associated with conventional techniques for processing HTTPrequests for microservices. Because the gateway application acts as aproxy for individual microservices, a provider of a suite ofmicroservices need not expose the individual microservices to theclients. Consequently, the provider is able to change the suite ofmicroservices as well as individual microservices without unnecessarilydisrupting the clients. Since the provider may add, update, or deletemicroservices from the suite of microservices without negativelyimpacting the clients, the provider may individually scale microservicesto reflect the needs of the users. Further, because the gatewayapplication ensures the validity of an incoming HTTP request prior togenerating and issuing a corresponding outgoing HTTP request, theindividual microservices do not need to individually implementauthentication and authorization functionality.

1. In some embodiments, a method for processing atomic operationscomprises identifying an upstream service based on at least one of aHypertext Transmission Protocol (HTTP) method and a header included inan incoming HTTP request; generating an outgoing HTTP request based onthe upstream service and the incoming HTTP request; and issuing theoutgoing HTTP request to cause the upstream service to perform an actionrequested in the incoming HTTP request.

2. The computer-implemented method of clause 1, further comprising,prior to generating the outgoing HTTP request, performing one or moreauthorization operations based on the incoming HTTP request to determinethat the incoming HTTP request is authorized.

3. The computer-implemented method of clauses 1 or 2, furthercomprising, prior to generating the outgoing HTTP request, performingone or more authentication operations based on the incoming HTTP requestto determine that the incoming HTTP request is authentic.

4. The computer-implemented method of any of clauses 1-3, whereinidentifying the upstream service comprises determining a tenantidentifier based on an authorization header included in the incomingHTTP request; and selecting a rule included in a plurality of rulesbased on the tenant identifier, wherein the rule specifies a UniformResource Identifier (URI) associated with the upstream service,

5. The computer-implemented method of any of clauses 1-4, whereinidentifying the upstream service comprises selecting a rule included aplurality of rules based on the HTTP method and a custom header includedin the HTTP request, wherein the rule specifies a Uniform ResourceIdentifier (URI) associated with the upstream service.

6. The computer-implemented method of any of clauses 1-5, whereinidentifying the upstream service comprises selecting a rule included aplurality of rules based on the HTTP method and an incoming pathincluded in the incoming HTTP request, wherein the rule specifies aUniform Resource Identifier (URI) associated with the upstream service.

7. The computer-implemented method of any of clauses 1-6 whereingenerating the outgoing HTTP request comprises determining an outgoinghost and an outgoing path associated with the upstream service;replacing an incoming host included in the incoming HTTP request withthe outgoing host to produce an intermediate HTTP request; and replacingan incoming path included in the intermediate HTTP request with theoutgoing path to produce the outgoing HTTP request.

8. The computer-implemented method of any of clauses 1-7, whereingenerating the outgoing HTTP request comprises generating at least oneof a tenancy header and a user header based on the incoming HTTPrequest; adding the at least one of the tenancy header and the userheader to the incoming HTTP request to produce an intermediate HTTPrequest; and modifying the intermediate HTTP request based on a UniformRecord Identifier (URI) associated with the upstream service.

9. The computer-implemented method of any of clauses 1-8, wherein theupstream service comprises one of a first microservice, a first service,and a first container executing on an upstream server.

10. The computer-implemented method of any of clauses 1-9, wherein theupstream service comprises a microservice executing on the upstreamserver and included in a data storage system that stores data as aplurality of time-indexed events including respective segments of rawmachine data.

11. The computer-implemented method of any of clauses 1-10, whereinperforming the action requested in the incoming HTTP request comprisesexecuting one or more search operations or executing one or more storageoperations.

12. The computer-implemented method of any of clauses 1-11, furthercomprising receiving the incoming HTTP request from a load balancingapplication.

13. The computer-implemented method of any of clauses 1-12, furthercomprising receiving a second HTTP request; determining that the secondHTTP request is not valid; and issuing an HTTP response indicating thatthe second HTTP request was not successfully processed.

14. In some embodiments, a computer-readable storage medium includesinstructions that, when executed by a processor, cause the processor toperform the steps of identifying an upstream service based on at leastone of a Hypertext Transmission Protocol (HTTP) method and a headerincluded in an incoming HTTP request; generating an outgoing HTTPrequest based on the upstream service and the incoming HTTP request; andissuing the outgoing HTTP request to cause the upstream service toperform an action requested in the incoming HTTP request.

15. The non-transitory computer-readable storage medium of clause 14,further comprising, prior to generating the outgoing HTTP request,performing one or more authorization operations based on the incomingHTTP request to determine that the incoming HTTP request is authorized.

16. The non-transitory computer-readable storage medium of clauses 14 or15, further comprising, prior to generating the outgoing HTTP request,performing one or more authentication operations based on the incomingHTTP request to determine that the incoming HTTP request is authentic.

17. The non-transitory computer-readable storage medium of any ofclauses 14-16, wherein identifying the upstream service comprisesdetermining a tenant identifier based on an authorization headerincluded in the incoming HTTP request; and selecting a rule included ina plurality of rules based on the tenant identifier, wherein the rulespecifies a Uniform Resource Identifier (URI) associated with theupstream service.

18. The non-transitory computer-readable storage medium of any ofclauses 14-17, wherein identifying the upstream service comprisesselecting a rule included a plurality of rules based on the HTTP methodand an incoming path included in the incoming HTTP request, wherein therule specifies a Uniform Resource Identifier (URI) associated with theupstream service.

19. The non-transitory computer-readable storage medium of any ofclauses 14-18, wherein generating the outgoing HTTP request comprisesdetermining an outgoing host and an outgoing path associated with theupstream service; replacing an incoming host included in the incomingHTTP request with the outgoing host to produce an intermediate HTTPrequest; and replacing an incoming path included in the intermediateHTTP request with the outgoing path to produce the outgoing HTTPrequest.

20. The non-transitory computer-readable storage medium of any ofclauses 14-19, wherein generating the outgoing HTTP request comprisesgenerating at least one of a tenancy header and a user header based onthe incoming HTTP request; adding the at least one of the tenancy headerand the user header to the incoming HTTP request to produce anintermediate HTTP request; and modifying the intermediate HTTP requestbased on a Uniform Record Identifier (URI) associated with the upstreamservice.

21. The non-transitory computer-readable storage medium of any ofclauses 14-20, wherein the upstream service comprises one of a firstmicroservice, a first service, a first database, and a first containerexecuting on an upstream server.

22. The non-transitory computer-readable storage medium of any ofclauses 14-21, further comprising receiving a second HTTP request;determining that the second HTTP request is not valid; and issuing anHTTP response indicating that the second HTTP request was notsuccessfully processed.

23. In some embodiments, a computing device comprises a memory storing agateway application; and a processor coupled to the memory, wherein whenexecuted by the processor, the gateway application causes the processorto identify an upstream service based on at least one of a HypertextTransmission Protocol (HTTP) method and a header included in an incomingHTTP request; generate an outgoing HTTP request based on the upstreamservice and the incoming HTTP request; and issue the outgoing HTTPrequest to cause the upstream service to perform an action requested inthe incoming HTTP request.

24. The computing device of clause 23, wherein prior to generating theoutgoing HTTP request, the gateway application further causes theprocessor to perform one or more authorization operations based on theincoming HTTP request to determine that the incoming HTTP request isauthorized.

25. The computing device of clauses 23 or 24, wherein prior togenerating the outgoing HTTP request, the gateway application furthercauses the processor to perform one or more authentication operationsbased on the incoming HTTP request to determine that the incoming HTTPrequest is authentic.

26. The computing device of any of clauses 23-25, wherein identifyingthe upstream service comprises determining a tenant identifier based onan authorization header included in the incoming HTTP request; andselecting a rule included in a plurality of rules based on the tenantidentifier, wherein the rule specifies a Uniform Resource Identifier(URI) associated with the upstream service.

27. The computing device of any of clauses 23-26, wherein identifyingthe upstream service comprises selecting a rule included a plurality ofrules based on the HTTP method and an incoming path included in theincoming HTTP request, wherein the rule specifies a Uniform ResourceIdentifier (URI) associated with the upstream service.

28. The computing device of any of clauses 23-27, wherein generating theoutgoing HTTP request comprises determining an outgoing host and anoutgoing path associated with the upstream service; replacing anincoming host included in the incoming HTTP request with the outgoinghost to produce an intermediate HTTP request; and replacing an incomingpath included in the intermediate HTTP request with the outgoing path toproduce the outgoing HTTP request.

29. The computing device of any of clauses 23-28, wherein generating theoutgoing HTTP request comprises generating at least one of a tenancyheader and a user header based on the incoming HTTP request; adding theat least one of the tenancy header and the user header to the incomingHTTP request to produce an intermediate HTTP request; and modifying theintermediate HTTP request based on a Uniform Record Identifier (URI)associated with the upstream service.

30. The computing device of any of clauses 23-30, wherein the upstreamservice comprises one of a first microservice, a first service, a firstdatabase, and a first container executing on an upstream server.

Any and all combinations of any of the claim elements recited in any ofthe claims and/or any elements described in this application, in anyfashion, fall within the contemplated scope of the present invention andprotection.

The descriptions of the various embodiments have been presented forpurposes of illustration, but are not intended to be exhaustive orlimited to the embodiments disclosed. Many modifications and variationswill be apparent to those of ordinary skill in the art without departingfrom the scope and spirit of the described embodiments.

Aspects of the present embodiments may be embodied as a system, methodor computer program product. Accordingly, aspects of the presentdisclosure may take the form of an entirely hardware embodiment, anentirely software embodiment (including firmware, resident software,micro-code, etc.) or an embodiment combining software and hardwareaspects that may all generally be referred to herein as a “module” or“system.” Furthermore, aspects of the present disclosure may take theform of a computer program product embodied in one or more computerreadable medium(s) having computer readable program code embodiedthereon.

Any combination of one or more computer readable medium(s) may beutilized. The computer readable medium may be a computer readable signalmedium or a computer readable storage medium. A computer readablestorage medium may be, for example, but not limited to, an electronic,magnetic, optical, electromagnetic, infrared, or semiconductor system,apparatus, or device, or any suitable combination of the foregoing. Morespecific examples (a non-exhaustive list) of the computer readablestorage medium would include the following: an electrical connectionhaving one or more wires, a portable computer diskette, a hard disk, arandom access memory (RAM), a read-only memory (ROM), an erasableprogrammable read-only memory (EPROM or Flash memory), an optical fiber,a portable compact disc read-only memory (CD-ROM), an optical storagedevice, a magnetic storage device, or any suitable combination of theforegoing. In the context of this document, a computer readable storagemedium may be any tangible medium that can contain, or store a programfor use by or in connection with an instruction execution system,apparatus, or device.

Aspects of the present disclosure are described above with reference toflowchart illustrations and/or block diagrams of methods, apparatus(systems) and computer program products according to embodiments of thedisclosure. It will be understood that each block of the flowchartillustrations and/or block diagrams, and combinations of blocks in theflowchart illustrations and/or block diagrams, can be implemented bycomputer program instructions. These computer program instructions maybe provided to a processor of a general purpose computer, specialpurpose computer, or other programmable data processing apparatus toproduce a machine, such that the instructions, which execute via theprocessor of the computer or other programmable data processingapparatus, enable the implementation of the functions/acts specified inthe flowchart and/or block diagram block or blocks. Such processors maybe, without limitation, general purpose processors, special-purposeprocessors, application-specific processors, or field-programmableprocessors or gate arrays.

The flowchart and block diagrams in the figures illustrate thearchitecture, functionality, and operation of possible implementationsof systems, methods and computer program products according to variousembodiments of the present disclosure. In this regard, each block in theflowchart or block diagrams may represent a module, segment, or portionof code, which comprises one or more executable instructions forimplementing the specified logical function(s). It should also be notedthat, in some alternative implementations, the functions noted in theblock may occur out of the order noted in the figures. For example, twoblocks shown in succession may, in fact, be executed substantiallyconcurrently, or the blocks may sometimes be executed in the reverseorder, depending upon the functionality involved. It will also be notedthat each block of the block diagrams and/or flowchart illustration, andcombinations of blocks in the block diagrams and/or flowchartillustration, can be implemented by special purpose hardware-basedsystems that perform the specified functions or acts, or combinations ofspecial purpose hardware and computer instructions.

While the preceding is directed to embodiments of the presentdisclosure, other and further embodiments of the disclosure may bedevised without departing from the basic scope thereof, and the scopethereof is determined by the claims that follow.

What is claimed is:
 1. A computer-implemented method, comprising:determining a set of parameters associated with an incoming HypertextTransmission Protocol (HTTP) request, wherein the set of parametersincludes at least an entity identifier and an HTTP method; determining,based on a rule and the set of parameters, that the incoming HTTPrequest should be routed to an upstream service that is associated witha first path, wherein the rule specifies a mapping between the set ofparameters and the first path; generating an outgoing HTTP request thatspecifies the first path; and issuing the outgoing HTTP request to causethe upstream service to perform an action requested in the incoming HTTPrequest.
 2. The method of claim 1, further comprising identifying therule based on the set of parameters.
 3. The method of claim 1, whereinthe set of parameters are included in a header of the incoming HTTPrequest.
 4. The method of claim 1, further comprising, prior togenerating the outgoing HTTP request, performing one or moreauthentication operations based on the incoming HTTP request todetermine that the incoming HTTP request is authentic.
 5. The method ofclaim 1, further comprising, prior to generating the outgoing HTTPrequest, performing one or more authorization operations based on theincoming HTTP request to determine that the incoming HTTP request isauthorized.
 6. The method of claim 1, wherein generating the outgoingHTTP request comprises: generating at least one of a tenancy header or auser header based on the incoming HTTP request; and adding the at leastone of the tenancy header or the user header to the outgoing HTTPrequest.
 7. The method of claim 1, wherein determining that the incomingHTTP request should be routed to the upstream service comprises applyingthe rule to information specified in a custom header included in theincoming HTTP request.
 8. The method of claim 1, wherein performing theaction requested in the incoming HTTP request comprises executing one ormore search operations or executing one or more storage operations. 9.The method of claim 1, wherein generating the outgoing HTTP requestcomprises replacing a second path specified in the incoming HTTP requestwith the first path.
 10. One or more non-transitory computer readablemedia storing instructions that, when executed by one or moreprocessors, perform the steps of: determining a set of parametersassociated with an incoming Hypertext Transmission Protocol (HTTP)request, wherein the set of parameters includes at least an entityidentifier and an HTTP method; determining, based on a rule and the setof parameters, that the incoming HTTP request should be routed to anupstream service that is associated with a first path, wherein the rulespecifies a mapping between the set of parameters and the first path;generating an outgoing HTTP request that specifies the first path; andissuing the outgoing HTTP request to cause the upstream service toperform an action requested in the incoming HTTP request.
 11. The one ormore non-transitory computer readable media of claim 10, furthercomprising identifying the rule based on the set of parameters.
 12. Theone or more non-transitory computer readable media of claim 10, whereinthe set of parameters are included in a header of the incoming HTTPrequest.
 13. The one or more non-transitory computer readable media ofclaim 10, further comprising, prior to generating the outgoing HTTPrequest, performing one or more authentication operations based on theincoming HTTP request to determine that the incoming HTTP request isauthentic.
 14. The one or more non-transitory computer readable media ofclaim 10, further comprising, prior to generating the outgoing HTTPrequest, performing one or more authorization operations based on theincoming HTTP request to determine that the incoming HTTP request isauthorized.
 15. The one or more non-transitory computer readable mediaof claim 10, wherein generating the outgoing HTTP request comprises:generating at least one of a tenancy header or a user header based onthe incoming HTTP request; and adding the at least one of the tenancyheader or the user header to the outgoing HTTP request.
 16. The one ormore non-transitory computer readable media of claim 10, whereindetermining that the incoming HTTP request should be routed to theupstream service comprises applying the rule to information specified ina custom header included in the incoming HTTP request.
 17. The one ormore non-transitory computer readable media of claim 10, whereinperforming the action requested in the incoming HTTP request comprisesexecuting one or more search operations or executing one or more storageoperations.
 18. The one or more non-transitory computer readable mediaof claim 10, wherein generating the outgoing HTTP request comprisesreplacing a second path specified in the incoming HTTP request with thefirst path.
 19. A computer system, comprising: a memory storing one ormore instructions; and one or more processors for executing the one ormore instructions to: determine a set of parameters associated with anincoming Hypertext Transmission Protocol (HTTP) request, wherein the setof parameters includes at least an entity identifier and an HTTP method;determine, based on a rule and the set of parameters, that the incomingHTTP request should be routed to an upstream service that is associatedwith a first path, wherein the rule specifies a mapping between the setof parameters and the first path; generate an outgoing HTTP request thatspecifies the first path; and issue the outgoing HTTP request to causethe upstream service to perform an action requested in the incoming HTTPrequest.
 20. The computer system of claim 19, further comprisingidentifying the rule based on the set of parameters.